job "mariadb-manage" { type = "batch" datacenters = ["dc1"] region = "global" meta { # Force job to run each time run = "${uuidv4()}" } group "manage" { network { mode = "bridge" } service { name = "mariadb-manage" connect { sidecar_service { proxy { upstreams { destination_name = "mariadb" local_bind_port = 3306 # Work arround, see https://github.com/hashicorp/nomad/issues/18538 destination_type = "service" } } } sidecar_task { config { args = [ "-c", "${NOMAD_SECRETS_DIR}/envoy_bootstrap.json", "-l", "${meta.connect.log_level}", "--concurrency", "${meta.connect.proxy_concurrency}", "--disable-hot-restart" ] } resources { cpu = 50 memory = 64 } } } } # wait for required services tp be ready before starting the main task task "wait-for" { driver = "docker" user = 1053 config { image = "danielberteaud/wait-for:24.3-1" readonly_rootfs = true pids_limit = 20 } lifecycle { hook = "prestart" } env { SERVICE_0 = "mariadb.service.consul" } resources { cpu = 10 memory = 10 memory_max = 30 } } task "manage" { driver = "docker" config { image = "danielberteaud/mariadb-client:24.3-1" pids_limit = 50 readonly_rootfs = true command = "/local/manage.sh" volumes = [ "secrets/my.cnf:/root/.my.cnf:ro" ] } vault { policies = ["mariadb"] env = false disable_file = true change_mode = "noop" } env { LANG = "fr_FR.utf8" TZ = "Europe/Paris" } template { data = <<_EOT # Databases # Users _EOT destination = "secrets/userdb.env" uid = 100000 gid = 100000 perms = 0400 env = true } template { data = <<_EOT #!/bin/sh # vim: syntax=sh set -euo pipefail echo "Create vault user" mysql <<_EOSQL CREATE USER IF NOT EXISTS 'vault'@'%' IDENTIFIED BY '${VAULT_INITIAL_PASSWORD}'; GRANT ALL PRIVILEGES ON *.* TO 'vault'@'%' WITH GRANT OPTION; _EOSQL echo "Create databases" for IDX in $(printenv | grep -E '^MY_DB_([0-9]+)=' | sed -E 's/^MY_DB_([0-9]+)=.*/\1/'); do DB_NAME=$(printenv MY_DB_${IDX}) echo "Found DB ${DB_NAME} to create" DB_CHARSET=$(printenv MY_DB_${IDX}_CHARSET || echo "utf8mb4") DB_COLLATE=$(printenv MY_DB_${IDX}_COLLATE || echo "utf8mb4_general_ci") echo "Create database ${DB_NAME} (CHARACTER SET \"${DB_CHARSET}\" COLLATE \"${DB_COLLATE}\") if needed" mysql <<_EOSQL CREATE DATABASE IF NOT EXISTS ${DB_NAME} CHARACTER SET "${DB_CHARSET}" COLLATE "${DB_COLLATE}" _EOSQL done echo "Create users" for IDX in $(printenv | grep -E '^MY_USER_([0-9]+)=' | sed -E 's/^MY_USER_([0-9]+)=.*/\1/'); do DB_USER=$(printenv MY_USER_${IDX}) echo "Found DB User ${DB_USER} to create" DB_HOST=$(printenv MY_USER_${IDX}_HOST || echo '%') DB_PASSWORD=$(printenv MY_USER_${IDX}_PASSWORD || echo '') if [ "${DB_PASSWORD}" = "" ]; then mysql <<_EOSQL CREATE USER IF NOT EXISTS '${DB_USER}'@'${DB_HOST}'; _EOSQL else mysql <<_EOSQL CREATE USER IF NOT EXISTS '${DB_USER}'@'${DB_HOST}' IDENTIFIED BY '${DB_PASSWORD}'; _EOSQL fi echo "Applying grants for ${DB_USER}" for GRANT in $(printenv | grep -E "^MY_USER_${IDX}_GRANT_([0-9]+)=)" | sed -E "s/^MY_USER_${IDX}_GRANT_([0-9]+)=.*/\1/"); do mysql <<_EOSQL GRANT $(printenv MY_USER_${IDX}_GRANT_${GRANT}); _EOSQL done done _EOT destination = "local/manage.sh" uid = 100000 gid = 100000 perms = 755 } template { data = <<_EOT [client] host = 127.0.0.1 user = root password = {{ with secret "kv/service/mariadb" }}{{ .Data.data.root_pwd }}{{ end }} _EOT destination = "secrets/my.cnf" uid = 100100 gid = 100101 perms = 640 } template { data = <<_EOT {{ with secret "kv/service/mariadb" }} VAULT_INITIAL_PASSWORD={{ .Data.data.vault_initial_pwd }} BACKUP_PASSWORD={{ .Data.data.backup_pwd }} {{ end }} _EOT destination = "secrets/manage.env" uid = 100000 gid = 100000 perms = 400 env = true } resources { cpu = 20 memory = 64 } } } }