nomad
/
mariadb
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Cleanup

This commit is contained in:
Daniel Berteaud 2024-01-31 14:06:09 +01:00
parent 01a44781b7
commit e16c19a21f
13 changed files with 102 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
example/init/vault-database
View File

@ -2,22 +2,22 @@
set -euo pipefail set -euo pipefail
if [ "$(vault secrets list -format json | jq -r '.["database/"].type')" != "database" ]; then if [ "$(vault secrets list -format json | jq -r '.["/database/"].type')" != "database" ]; then
vault secrets enable -path database database vault secrets enable -path /database database
fi fi
if [ "$(vault list -format json database/config | jq '.[] | test("^mariadb$")')" = "false" ]; then if [ "$(vault list -format json /database/config | jq '.[] | test("^mariadb$")')" = "false" ]; then
vault write database/config/mariadb \ vault write /database/config/mariadb \
plugin_name="mysql-database-plugin" \ plugin_name="mysql-database-plugin" \
connection_url="{{username}}:{{password}}@tcp(mariadb.example.org:3306)/" \ connection_url="{{username}}:{{password}}@tcp(mariadb.example.org:3306)/" \
allowed_roles="*" \ allowed_roles="*" \
username=vault \ username=vault \
password="$(vault kv get -field vault_initial_pwd kv/service/mariadb)" \ password="$(vault kv get -field vault_initial_pwd /kv/service/mariadb)" \
disable_escaping=true disable_escaping=true
vault write -force database/rotate-root/mariadb vault write -force /database/rotate-root/mariadb
fi fi
vault write database/roles/mariadb-admin \ vault write /database/roles/mariadb-admin \
db_name="mariadb" \ db_name="mariadb" \
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; \ creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; \
GRANT ALL PRIVILEGES ON *.* TO '{{name}}'@'%' WITH GRANT OPTION; \ GRANT ALL PRIVILEGES ON *.* TO '{{name}}'@'%' WITH GRANT OPTION; \

23
example/manage.nomad.hcl
View File

@ -26,6 +26,18 @@ job "mariadb-manage" {
} }
} }
sidecar_task { sidecar_task {
config {
args = [
"-c",
"${NOMAD_SECRETS_DIR}/envoy_bootstrap.json",
"-l",
"${meta.connect.log_level}",
"--concurrency",
"${meta.connect.proxy_concurrency}",
"--disable-hot-restart"
]
}
resources { resources {
cpu = 50 cpu = 50
memory = 64 memory = 64
@ -78,10 +90,14 @@ job "mariadb-manage" {
] ]
} }
vault { vault {
policies = ["mariadb"] policies = ["mariadb"]
env = false
disable_file = true
} }
env { env {
LANG = "fr_FR.utf8" LANG = "fr_FR.utf8"
@ -163,7 +179,7 @@ _EOT
[client] [client]
host = 127.0.0.1 host = 127.0.0.1
user = root user = root
password = {{ with secret "kv/service/mariadb" }}{{ .Data.data.root_pwd }}{{ end }} password = {{ with secret "/kv/service/mariadb" }}{{ .Data.data.root_pwd }}{{ end }}
_EOT _EOT
destination = "secrets/my.cnf" destination = "secrets/my.cnf"
uid = 100100 uid = 100100
@ -173,7 +189,7 @@ _EOT
template { template {
data = <<_EOT data = <<_EOT
{{ with secret "kv/service/mariadb" }} {{ with secret "/kv/service/mariadb" }}
VAULT_INITIAL_PASSWORD={{ .Data.data.vault_initial_pwd }} VAULT_INITIAL_PASSWORD={{ .Data.data.vault_initial_pwd }}
BACKUP_PASSWORD={{ .Data.data.backup_pwd }} BACKUP_PASSWORD={{ .Data.data.backup_pwd }}
{{ end }} {{ end }}
@ -185,6 +201,7 @@ _EOT
env = true env = true
} }
resources { resources {
cpu = 20 cpu = 20
memory = 64 memory = 64

25
example/mariadb.nomad.hcl
View File

@ -1,4 +1,5 @@
job "mariadb" { job "mariadb" {
datacenters = ["dc1"] datacenters = ["dc1"]
@ -27,6 +28,18 @@ job "mariadb" {
disable_default_tcp_check = true disable_default_tcp_check = true
} }
sidecar_task { sidecar_task {
config {
args = [
"-c",
"${NOMAD_SECRETS_DIR}/envoy_bootstrap.json",
"-l",
"${meta.connect.log_level}",
"--concurrency",
"${meta.connect.proxy_concurrency}",
"--disable-hot-restart"
]
}
resources { resources {
cpu = 50 cpu = 50
memory = 64 memory = 64
@ -47,6 +60,11 @@ job "mariadb" {
timeout = "10s" timeout = "10s"
interval = "5s" interval = "5s"
} }
tags = [
]
} }
# Run mysql_upgrade # Run mysql_upgrade
@ -76,7 +94,7 @@ job "mariadb" {
[client] [client]
user = root user = root
host = 127.0.0.1 host = 127.0.0.1
password = {{ with secret "kv/service/mariadb" }}{{ .Data.data.root_pwd }}{{ end }} password = {{ with secret "/kv/service/mariadb" }}{{ .Data.data.root_pwd }}{{ end }}
_EOT _EOT
destination = "secrets/.my.cnf" destination = "secrets/.my.cnf"
uid = 100100 uid = 100100
@ -156,7 +174,7 @@ _EOT
template { template {
data = <<_EOT data = <<_EOT
{{ with secret "kv/service/mariadb" }} {{ with secret "/kv/service/mariadb" }}
MYSQL_ROOT_PASSWORD={{ .Data.data.root_pwd }} MYSQL_ROOT_PASSWORD={{ .Data.data.root_pwd }}
{{ end }} {{ end }}
_EOT _EOT
@ -171,7 +189,7 @@ _EOT
data = <<_EOT data = <<_EOT
[client] [client]
user = root user = root
password = {{ with secret "kv/service/mariadb" }}{{ .Data.data.root_pwd }}{{ end }} password = {{ with secret "/kv/service/mariadb" }}{{ .Data.data.root_pwd }}{{ end }}
_EOT _EOT
destination = "secrets/my.conf" destination = "secrets/my.conf"
uid = 100100 uid = 100100
@ -184,6 +202,7 @@ _EOT
destination = "/data" destination = "/data"
} }
resources { resources {
cpu = 1000 cpu = 1000
memory = 512 memory = 512

25
example/prep.d/10-rand-pwd.sh
View File

@ -2,15 +2,22 @@
set -euo pipefail set -euo pipefail
if ! vault kv list kv/service 2>/dev/null | grep -q -E '^mariadb$'; then # vim: syntax=sh
vault kv put kv/service/mariadb \
root_pwd=$(pwgen -s -n 50 1) \
vault_initial_pwd=$(pwgen -s -n 50 1)
fi
for PWD in root_pwd vault_initial_pwd; do export LC_ALL=C
if ! vault kv get -field ${PWD} kv/service/mariadb >/dev/null 2>&1; then VAULT_KV_PATH=/kv/service/mariadb
vault kv patch kv/service/mariadb \ RAND_CMD="tr -dc A-Za-z0-9\-_\/=~\.+ < /dev/urandom | head -c 50"
${PWD}=$(pwgen -s -n 50 1) if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then
vault kv put ${VAULT_KV_PATH} \
vault_initial_pwd="$(sh -c "${RAND_CMD}")" \
root_pwd="$(sh -c "${RAND_CMD}")" \
fi
for SECRET in vault_initial_pwd root_pwd; do
if ! vault kv get -field ${SECRET} ${VAULT_KV_PATH} >/dev/null 2>&1; then
vault kv patch ${VAULT_KV_PATH} \
${SECRET}=$(sh -c "${RAND_CMD}")
fi fi
done done

19
example/prep.d/mv_conf.sh
View File

@ -1,19 +0,0 @@
#!/bin/sh
set -eu
if [ "mariadb" != "mariadb" ]; then
for DIR in vault consul nomad; do
if [ -d output/${DIR} ]; then
for FILE in $(find output/${DIR} -name "*mariadb*.hcl" -type f); do
NEW_FILE=$(echo "${FILE}" | sed -E "s/mariadb/mariadb/g")
mv "${FILE}" "${NEW_FILE}"
done
fi
done
fi

2
example/vault/policies/mariadb.hcl
View File

@ -1,3 +1,3 @@
path "kv/data/service/mariadb" { path "/kv/data/service/mariadb" {
capabilities = ["read"] capabilities = ["read"]
} }

14
init/vault-database
View File

@ -2,22 +2,22 @@
set -euo pipefail set -euo pipefail
if [ "$(vault secrets list -format json | jq -r '.["[[ .vault.prefix ]]database/"].type')" != "database" ]; then if [ "$(vault secrets list -format json | jq -r '.["[[ .vault.root ]]database/"].type')" != "database" ]; then
vault secrets enable -path [[ .vault.prefix ]]database database vault secrets enable -path [[ .vault.root ]]database database
fi fi
if [ "$(vault list -format json [[ .vault.prefix ]]database/config | jq '.[] | test("^[[ .instance ]]$")')" = "false" ]; then if [ "$(vault list -format json [[ .vault.root ]]database/config | jq '.[] | test("^[[ .instance ]]$")')" = "false" ]; then
vault write [[ .vault.prefix ]]database/config/[[ .instance ]] \ vault write [[ .vault.root ]]database/config/[[ .instance ]] \
plugin_name="mysql-database-plugin" \ plugin_name="mysql-database-plugin" \
connection_url="{{username}}:{{password}}@tcp([[ (urlParse .mariadb.server.public_address).Host ]])/" \ connection_url="{{username}}:{{password}}@tcp([[ (urlParse .mariadb.server.public_address).Host ]])/" \
allowed_roles="*" \ allowed_roles="*" \
username=vault \ username=vault \
password="$(vault kv get -field vault_initial_pwd [[ .vault.prefix ]]kv/service/[[ .instance ]])" \ password="$(vault kv get -field vault_initial_pwd [[ .vault.root ]]kv/service/[[ .instance ]])" \
disable_escaping=true disable_escaping=true
vault write -force [[ .vault.prefix ]]database/rotate-root/[[ .instance ]] vault write -force [[ .vault.root ]]database/rotate-root/[[ .instance ]]
fi fi
vault write [[ .vault.prefix ]]database/roles/mariadb-admin \ vault write [[ .vault.root ]]database/roles/mariadb-admin \
db_name="mariadb" \ db_name="mariadb" \
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; \ creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; \
GRANT ALL PRIVILEGES ON *.* TO '{{name}}'@'%' WITH GRANT OPTION; \ GRANT ALL PRIVILEGES ON *.* TO '{{name}}'@'%' WITH GRANT OPTION; \

27
manage.nomad.hcl
View File

@ -1,7 +1,8 @@
[[ $c := merge .mariadb.manage . -]]
job "[[ .instance ]]-manage" { job "[[ .instance ]]-manage" {
type = "batch" type = "batch"
[[ template "common/job_start.tpl" $c ]]
[[- $c := merge .mariadb.manage . ]]
[[ template "common/job_start" $c ]]
meta { meta {
# Force job to run each time # Force job to run each time
@ -14,17 +15,17 @@ job "[[ .instance ]]-manage" {
} }
service { service {
name = "[[ .instance ]]-manage[[ $c.consul.suffix ]]" name = "[[ .instance ]]-manage[[ .consul.suffix ]]"
[[ template "common/connect.tpl" $c ]] [[ template "common/connect" $c ]]
} }
[[ template "common/task.wait_for.tpl" $c ]] [[ template "common/task.wait_for" $c ]]
task "manage" { task "manage" {
driver = [[ $c.nomad.driver | toJSON ]] driver = "[[ $c.nomad.driver ]]"
config { config {
image = [[ .mariadb.manage.image | toJSON ]] image = "[[ .mariadb.manage.image ]]"
pids_limit = 50 pids_limit = 50
readonly_rootfs = true readonly_rootfs = true
command = "/local/manage.sh" command = "/local/manage.sh"
@ -33,12 +34,10 @@ job "[[ .instance ]]-manage" {
] ]
} }
vault { [[ template "common/vault.policies" merge .mariadb . ]]
policies = ["[[ .instance ]][[ $c.consul.suffix ]]"]
}
env { env {
[[ template "common/env.tpl" $c.env ]] [[ template "common/env" $c.env ]]
} }
template { template {
@ -97,7 +96,7 @@ _EOT
[client] [client]
host = 127.0.0.1 host = 127.0.0.1
user = root user = root
password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }} password = {{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }}
_EOT _EOT
destination = "secrets/my.cnf" destination = "secrets/my.cnf"
uid = 100100 uid = 100100
@ -107,7 +106,7 @@ _EOT
template { template {
data = <<_EOT data = <<_EOT
{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }} {{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}
VAULT_INITIAL_PASSWORD={{ .Data.data.vault_initial_pwd }} VAULT_INITIAL_PASSWORD={{ .Data.data.vault_initial_pwd }}
BACKUP_PASSWORD={{ .Data.data.backup_pwd }} BACKUP_PASSWORD={{ .Data.data.backup_pwd }}
{{ end }} {{ end }}
@ -119,7 +118,7 @@ _EOT
env = true env = true
} }
[[ template "common/resources.tpl" .mariadb.manage.resources ]] [[ template "common/resources" $c ]]
} }
} }
} }

24
mariadb.nomad.hcl
View File

@ -1,7 +1,6 @@
job "[[ .instance ]]" { job "[[ .instance ]]" {
[[- $c := merge .mariadb.server .mariadb . -]] [[- $c := merge .mariadb.server .mariadb . ]]
[[ template "common/job_start" $c ]] [[ template "common/job_start" $c ]]
group "server" { group "server" {
@ -13,7 +12,7 @@ job "[[ .instance ]]" {
[[ template "common/volumes" $c ]] [[ template "common/volumes" $c ]]
service { service {
name = "[[ .instance ]][[ $c.consul.suffix ]]" name = "[[ .instance ]][[ .consul.suffix ]]"
port = 3306 port = 3306
[[ template "common/connect" $c ]] [[ template "common/connect" $c ]]
@ -30,14 +29,9 @@ job "[[ .instance ]]" {
interval = "5s" interval = "5s"
} }
[[- if $c.traefik.enabled ]]
tags = [ tags = [
"[[ $c.traefik.instance ]].enable=true", [[ template "common/traefik_tags" $c ]]
"[[ $c.traefik.instance ]].tcp.routers.[[ .instance ]][[ $c.consul.suffix ]].rule=HostSNI(`*`)",
"[[ $c.traefik.instance ]].tcp.routers.[[ .instance ]][[ $c.consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
"[[ $c.traefik.instance ]].tcp.routers.[[ .instance ]][[ $c.consul.suffix ]].middlewares=[[ join $c.traefik.middlewares "," ]]"
] ]
[[- end ]]
} }
# Run mysql_upgrade # Run mysql_upgrade
@ -49,9 +43,9 @@ job "[[ .instance ]]" {
} }
config { config {
image = "[[ .mariadb.server.image ]]" image = "[[ .mariadb.server.image ]]"
pids_limit = 100 pids_limit = 100
command = "/local/mysql_upgrade.sh" command = "/local/mysql_upgrade.sh"
} }
[[ template "common/vault.policies" $c ]] [[ template "common/vault.policies" $c ]]
@ -61,7 +55,7 @@ job "[[ .instance ]]" {
[client] [client]
user = root user = root
host = 127.0.0.1 host = 127.0.0.1
password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }} password = {{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }}
_EOT _EOT
destination = "secrets/.my.cnf" destination = "secrets/.my.cnf"
uid = 100100 uid = 100100
@ -114,7 +108,7 @@ _EOT
template { template {
data = <<_EOT data = <<_EOT
{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }} {{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}
MYSQL_ROOT_PASSWORD={{ .Data.data.root_pwd }} MYSQL_ROOT_PASSWORD={{ .Data.data.root_pwd }}
{{ end }} {{ end }}
_EOT _EOT
@ -129,7 +123,7 @@ _EOT
data = <<_EOT data = <<_EOT
[client] [client]
user = root user = root
password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }} password = {{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }}
_EOT _EOT
destination = "secrets/my.conf" destination = "secrets/my.conf"
uid = 100100 uid = 100100
@ -186,7 +180,7 @@ _EOT
[client] [client]
user = root user = root
host = 127.0.0.1 host = 127.0.0.1
password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }} password = {{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }}
_EOT _EOT
destination = "secrets/.my.cnf" destination = "secrets/.my.cnf"
uid = 100000 uid = 100000

13
prep.d/10-rand-pwd.sh
View File

@ -2,15 +2,4 @@
set -euo pipefail set -euo pipefail
if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .instance ]]$'; then [[ template "common/vault.rand_secrets" merge .mariadb . ]]
vault kv put [[ .vault.prefix ]]kv/service/[[ .instance ]] \
root_pwd=$(pwgen -s -n 50 1) \
vault_initial_pwd=$(pwgen -s -n 50 1)
fi
for PWD in root_pwd vault_initial_pwd; do
if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .instance ]] >/dev/null 2>&1; then
vault kv patch [[ .vault.prefix ]]kv/service/[[ .instance ]] \
${PWD}=$(pwgen -s -n 50 1)
fi
done

1
prep.d/mv_conf.sh
View File

@ -1 +0,0 @@
[[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "mariadb" .instance) ]]

7
variables.yml
View File

@ -8,6 +8,10 @@ mariadb:
vault: vault:
policies: policies:
- '[[ .instance ]][[ .consul.suffix ]]' - '[[ .instance ]][[ .consul.suffix ]]'
rand_secrets:
fields:
- vault_initial_pwd
- root_pwd
# MariaDB server settings # MariaDB server settings
server: server:
@ -32,11 +36,10 @@ mariadb:
traefik: traefik:
# Toggle if Traefik support is enabled # Toggle if Traefik support is enabled
enabled: false enabled: false
proto: tcp
# List of entrypoints to bind the sevrice to. This must be a dedicated TCP entrypoint # List of entrypoints to bind the sevrice to. This must be a dedicated TCP entrypoint
entrypoints: entrypoints:
- mariadb - mariadb
# List of TCP middlewares to apply
middlewares: []
consul: consul:
connect: connect:

2
vault/policies/mariadb.hcl
View File

@ -1,3 +1,3 @@
path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" { path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
capabilities = ["read"] capabilities = ["read"]
} }