219 lines
4.8 KiB
HCL
219 lines
4.8 KiB
HCL
job "mariadb-manage" {
|
|
type = "batch"
|
|
|
|
datacenters = ["dc1"]
|
|
region = "global"
|
|
|
|
|
|
|
|
|
|
meta {
|
|
# Force job to run each time
|
|
run = "${uuidv4()}"
|
|
}
|
|
|
|
group "manage" {
|
|
network {
|
|
mode = "bridge"
|
|
}
|
|
|
|
service {
|
|
name = "mariadb-manage"
|
|
connect {
|
|
sidecar_service {
|
|
proxy {
|
|
upstreams {
|
|
destination_name = "mariadb"
|
|
local_bind_port = 3306
|
|
# Work arround, see https://github.com/hashicorp/nomad/issues/18538
|
|
destination_type = "service"
|
|
}
|
|
}
|
|
}
|
|
sidecar_task {
|
|
config {
|
|
args = [
|
|
"-c",
|
|
"${NOMAD_SECRETS_DIR}/envoy_bootstrap.json",
|
|
"-l",
|
|
"${meta.connect.log_level}",
|
|
"--concurrency",
|
|
"${meta.connect.proxy_concurrency}",
|
|
"--disable-hot-restart"
|
|
]
|
|
}
|
|
|
|
resources {
|
|
cpu = 50
|
|
memory = 64
|
|
}
|
|
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
# wait for required services tp be ready before starting the main task
|
|
task "wait-for" {
|
|
|
|
driver = "docker"
|
|
user = 1053
|
|
|
|
config {
|
|
image = "danielberteaud/wait-for:24.3-1"
|
|
readonly_rootfs = true
|
|
pids_limit = 20
|
|
}
|
|
|
|
lifecycle {
|
|
hook = "prestart"
|
|
}
|
|
|
|
env {
|
|
SERVICE_0 = "mariadb.service.consul"
|
|
}
|
|
|
|
resources {
|
|
cpu = 10
|
|
memory = 10
|
|
memory_max = 30
|
|
}
|
|
}
|
|
|
|
|
|
|
|
task "manage" {
|
|
driver = "docker"
|
|
|
|
config {
|
|
image = "danielberteaud/mariadb-client:24.3-1"
|
|
pids_limit = 50
|
|
readonly_rootfs = true
|
|
command = "/local/manage.sh"
|
|
volumes = [
|
|
"secrets/my.cnf:/root/.my.cnf:ro"
|
|
]
|
|
}
|
|
|
|
|
|
vault {
|
|
policies = ["mariadb"]
|
|
env = false
|
|
disable_file = true
|
|
change_mode = "noop"
|
|
}
|
|
|
|
|
|
env {
|
|
|
|
LANG = "fr_FR.utf8"
|
|
TZ = "Europe/Paris"
|
|
|
|
}
|
|
|
|
template {
|
|
data = <<_EOT
|
|
# Databases
|
|
# Users
|
|
_EOT
|
|
destination = "secrets/userdb.env"
|
|
uid = 100000
|
|
gid = 100000
|
|
perms = 0400
|
|
env = true
|
|
}
|
|
|
|
template {
|
|
data = <<_EOT
|
|
#!/bin/sh
|
|
|
|
# vim: syntax=sh
|
|
|
|
set -euo pipefail
|
|
|
|
echo "Create vault user"
|
|
mysql <<_EOSQL
|
|
CREATE USER IF NOT EXISTS 'vault'@'%' IDENTIFIED BY '${VAULT_INITIAL_PASSWORD}';
|
|
GRANT ALL PRIVILEGES ON *.* TO 'vault'@'%' WITH GRANT OPTION;
|
|
_EOSQL
|
|
|
|
echo "Create databases"
|
|
for IDX in $(printenv | grep -E '^MY_DB_([0-9]+)=' | sed -E 's/^MY_DB_([0-9]+)=.*/\1/'); do
|
|
DB_NAME=$(printenv MY_DB_${IDX})
|
|
echo "Found DB ${DB_NAME} to create"
|
|
DB_CHARSET=$(printenv MY_DB_${IDX}_CHARSET || echo "utf8mb4")
|
|
DB_COLLATE=$(printenv MY_DB_${IDX}_COLLATE || echo "utf8mb4_general_ci")
|
|
echo "Create database ${DB_NAME} (CHARACTER SET \"${DB_CHARSET}\" COLLATE \"${DB_COLLATE}\") if needed"
|
|
mysql <<_EOSQL
|
|
CREATE DATABASE IF NOT EXISTS ${DB_NAME} CHARACTER SET "${DB_CHARSET}" COLLATE "${DB_COLLATE}"
|
|
_EOSQL
|
|
done
|
|
|
|
echo "Create users"
|
|
for IDX in $(printenv | grep -E '^MY_USER_([0-9]+)=' | sed -E 's/^MY_USER_([0-9]+)=.*/\1/'); do
|
|
DB_USER=$(printenv MY_USER_${IDX})
|
|
echo "Found DB User ${DB_USER} to create"
|
|
DB_HOST=$(printenv MY_USER_${IDX}_HOST || echo '%')
|
|
DB_PASSWORD=$(printenv MY_USER_${IDX}_PASSWORD || echo '')
|
|
if [ "${DB_PASSWORD}" = "" ]; then
|
|
mysql <<_EOSQL
|
|
CREATE USER IF NOT EXISTS '${DB_USER}'@'${DB_HOST}';
|
|
_EOSQL
|
|
else
|
|
mysql <<_EOSQL
|
|
CREATE USER IF NOT EXISTS '${DB_USER}'@'${DB_HOST}' IDENTIFIED BY '${DB_PASSWORD}';
|
|
_EOSQL
|
|
fi
|
|
|
|
echo "Applying grants for ${DB_USER}"
|
|
for GRANT in $(printenv | grep -E "^MY_USER_${IDX}_GRANT_([0-9]+)=)" | sed -E "s/^MY_USER_${IDX}_GRANT_([0-9]+)=.*/\1/"); do
|
|
mysql <<_EOSQL
|
|
GRANT $(printenv MY_USER_${IDX}_GRANT_${GRANT});
|
|
_EOSQL
|
|
done
|
|
done
|
|
|
|
_EOT
|
|
destination = "local/manage.sh"
|
|
uid = 100000
|
|
gid = 100000
|
|
perms = 755
|
|
}
|
|
|
|
template {
|
|
data = <<_EOT
|
|
[client]
|
|
host = 127.0.0.1
|
|
user = root
|
|
password = {{ with secret "kv/service/mariadb" }}{{ .Data.data.root_pwd }}{{ end }}
|
|
_EOT
|
|
destination = "secrets/my.cnf"
|
|
uid = 100100
|
|
gid = 100101
|
|
perms = 640
|
|
}
|
|
|
|
template {
|
|
data = <<_EOT
|
|
{{ with secret "kv/service/mariadb" }}
|
|
VAULT_INITIAL_PASSWORD={{ .Data.data.vault_initial_pwd }}
|
|
BACKUP_PASSWORD={{ .Data.data.backup_pwd }}
|
|
{{ end }}
|
|
_EOT
|
|
destination = "secrets/manage.env"
|
|
uid = 100000
|
|
gid = 100000
|
|
perms = 400
|
|
env = true
|
|
}
|
|
|
|
|
|
resources {
|
|
cpu = 20
|
|
memory = 64
|
|
}
|
|
|
|
}
|
|
}
|
|
}
|