nomad
/
mariadb
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
mariadb/example/manage.nomad.hcl

219 lines
4.8 KiB
HCL
Raw Blame History

job "mariadb-manage" {
type = "batch"
datacenters = ["dc1"]
region = "global"
meta {
# Force job to run each time
run = "${uuidv4()}"
}
group "manage" {
network {
mode = "bridge"
}
service {
name = "mariadb-manage"
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "mariadb"
local_bind_port = 3306
# Work arround, see https://github.com/hashicorp/nomad/issues/18538
destination_type = "service"
}
}
}
sidecar_task {
config {
args = [
"-c",
"${NOMAD_SECRETS_DIR}/envoy_bootstrap.json",
"-l",
"${meta.connect.log_level}",
"--concurrency",
"${meta.connect.proxy_concurrency}",
"--disable-hot-restart"
]
}
resources {
cpu = 50
memory = 64
}
}
}
}
# wait for required services tp be ready before starting the main task
task "wait-for" {
driver = "docker"
user = 1053
config {
image = "danielberteaud/wait-for:24.3-1"
readonly_rootfs = true
pids_limit = 20
}
lifecycle {
hook = "prestart"
}
env {
SERVICE_0 = "mariadb.service.consul"
}
resources {
cpu = 10
memory = 10
memory_max = 30
}
}
task "manage" {
driver = "docker"
config {
image = "danielberteaud/mariadb-client:24.3-1"
pids_limit = 50
readonly_rootfs = true
command = "/local/manage.sh"
volumes = [
"secrets/my.cnf:/root/.my.cnf:ro"
]
}
vault {
policies = ["mariadb"]
env = false
disable_file = true
change_mode = "noop"
}
env {
LANG = "fr_FR.utf8"
TZ = "Europe/Paris"
}
template {
data = <<_EOT
# Databases
# Users
_EOT
destination = "secrets/userdb.env"
uid = 100000
gid = 100000
perms = 0400
env = true
}
template {
data = <<_EOT
#!/bin/sh
# vim: syntax=sh
set -euo pipefail
echo "Create vault user"
mysql <<_EOSQL
CREATE USER IF NOT EXISTS 'vault'@'%' IDENTIFIED BY '${VAULT_INITIAL_PASSWORD}';
GRANT ALL PRIVILEGES ON *.* TO 'vault'@'%' WITH GRANT OPTION;
_EOSQL
echo "Create databases"
for IDX in $(printenv | grep -E '^MY_DB_([0-9]+)=' | sed -E 's/^MY_DB_([0-9]+)=.*/\1/'); do
DB_NAME=$(printenv MY_DB_${IDX})
echo "Found DB ${DB_NAME} to create"
DB_CHARSET=$(printenv MY_DB_${IDX}_CHARSET || echo "utf8mb4")
DB_COLLATE=$(printenv MY_DB_${IDX}_COLLATE || echo "utf8mb4_general_ci")
echo "Create database ${DB_NAME} (CHARACTER SET \"${DB_CHARSET}\" COLLATE \"${DB_COLLATE}\") if needed"
mysql <<_EOSQL
CREATE DATABASE IF NOT EXISTS ${DB_NAME} CHARACTER SET "${DB_CHARSET}" COLLATE "${DB_COLLATE}"
_EOSQL
done
echo "Create users"
for IDX in $(printenv | grep -E '^MY_USER_([0-9]+)=' | sed -E 's/^MY_USER_([0-9]+)=.*/\1/'); do
DB_USER=$(printenv MY_USER_${IDX})
echo "Found DB User ${DB_USER} to create"
DB_HOST=$(printenv MY_USER_${IDX}_HOST || echo '%')
DB_PASSWORD=$(printenv MY_USER_${IDX}_PASSWORD || echo '')
if [ "${DB_PASSWORD}" = "" ]; then
mysql <<_EOSQL
CREATE USER IF NOT EXISTS '${DB_USER}'@'${DB_HOST}';
_EOSQL
else
mysql <<_EOSQL
CREATE USER IF NOT EXISTS '${DB_USER}'@'${DB_HOST}' IDENTIFIED BY '${DB_PASSWORD}';
_EOSQL
fi
echo "Applying grants for ${DB_USER}"
for GRANT in $(printenv | grep -E "^MY_USER_${IDX}_GRANT_([0-9]+)=)" | sed -E "s/^MY_USER_${IDX}_GRANT_([0-9]+)=.*/\1/"); do
mysql <<_EOSQL
GRANT $(printenv MY_USER_${IDX}_GRANT_${GRANT});
_EOSQL
done
done
_EOT
destination = "local/manage.sh"
uid = 100000
gid = 100000
perms = 755
}
template {
data = <<_EOT
[client]
host = 127.0.0.1
user = root
password = {{ with secret "kv/service/mariadb" }}{{ .Data.data.root_pwd }}{{ end }}
_EOT
destination = "secrets/my.cnf"
uid = 100100
gid = 100101
perms = 640
}
template {
data = <<_EOT
{{ with secret "kv/service/mariadb" }}
VAULT_INITIAL_PASSWORD={{ .Data.data.vault_initial_pwd }}
BACKUP_PASSWORD={{ .Data.data.backup_pwd }}
{{ end }}
_EOT
destination = "secrets/manage.env"
uid = 100000
gid = 100000
perms = 400
env = true
}
resources {
cpu = 20
memory = 64
}
}
}
}
Reference in New Issue View Git Blame Copy Permalink