nomad/minio
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
minio/minio.nomad.hcl

203 lines
5.9 KiB
HCL
Raw Permalink Blame History

job "[[ .instance ]]" {
[[- $c := merge .minio . ]]
[[ template "common/job_start" $c ]]
[[- if conv.ToBool $c.metrics.enabled ]]
group "metrics" {
[[- $c := merge .minio.metrics .minio . ]]
[[ template "common/group_start" $c ]]
network {
mode = "bridge"
port "metrics" {}
}
service {
name = "[[ .instance ]]-metrics[[ .consul.suffix ]]"
[[ template "common/service_meta" $c ]]
[[ template "common/connect" $c ]]
}
[[ template "common/task.metrics_proxy" $c ]]
}
[[- end ]]
group "minio" {
[[- $c := merge .minio.server .minio . ]]
[[ template "common/group_start" $c ]]
[[ template "common/volumes" $c ]]
network {
mode = "bridge"
[[- /* When running in distributed mode, every node must be reachable on the same port, so assign a static one*/]]
[[- if gt $c.count 1 ]]
port "api" {
static = [[ $c.api.port ]]
}
[[- end ]]
[[- if conv.ToBool $c.metrics.enabled ]]
port "metrics" {}
[[- end ]]
# Ensure local minio instance can identify itself
hostname = "minio-${NOMAD_ALLOC_INDEX}.[[ .instance ]]-cluster[[ .consul.suffix ]].service.[[ .consul.domain ]]"
}
# This is the main service, used to reach both the console and the S3 API
# It'll usually be exposed by Traefik. This service will appear as passing only when the corresponding
# minio is ready, so no requests are routed until they can be processed
service {
name = "[[ .instance ]][[ .consul.suffix ]]"
port = 8000
[[ template "common/service_meta" $c ]]
[[ template "common/connect" $c ]]
check {
type = "http"
path = "/minio/health/live"
expose = true
[[ template "common/check_settings" $c ]]
}
tags = [
"minio-${NOMAD_ALLOC_INDEX}",
[[ template "common/traefik_tags" merge $c.api $c ]]
[[ template "common/traefik_tags" merge $c.console $c ]]
[[ template "common/traefik_tags" merge $c.metrics $c ]]
]
}
[[- if gt $c.count 1 ]]
# A dummy service for minio instances to find each others. We define no check at all
# so the corresponding DNS entry are immediatly published in Consul
service {
name = "[[ .instance ]]-cluster[[ .consul.suffix ]]"
port = "api"
tags = [
"minio-${NOMAD_ALLOC_INDEX}",
]
}
[[- end ]]
[[ template "common/task.wait_for" $c ]]
[[ template "common/task.chown_volumes" $c ]]
[[ template "common/task.metrics_proxy" $c ]]
# A small nginx proxy, used to multiplexe S3 API and console on a single port
# We could instead use two connect services (so 2 envoy sidecars), but nginx is lighter
# It's also used to expose the service as plain http for the service mesh
task "nginx" {
[[- $d := merge $c.nginx $c ]]
driver = "[[ $d.nomad.driver ]]"
lifecycle {
hook = "prestart"
sidecar = true
}
config {
[[ template "common/image" $d ]]
pids_limit = 100
[[ template "common/tmpfs" "/tmp" ]]
volumes = ["local/nginx.conf:/etc/nginx/conf.d/default.conf:ro"]
}
env {
TMPDIR = "/local/tmp"
}
template {
data = <<_EOT
[[ template "minio/nginx.conf" $d ]]
_EOT
destination = "local/nginx.conf"
}
[[ template "common/resources" $d ]]
}
task "minio" {
driver = "[[ $c.nomad.driver ]]"
leader = true
# Give minio some time to shutdown
kill_timeout = "10m"
config {
[[ template "common/image" $c ]]
command = "minio"
args = [
"server",
"--console-address=127.0.0.1:9001",
[[- if gt $c.count 1 ]]
"--address=0.0.0.0:${NOMAD_ALLOC_PORT_api}",
"--certs-dir=/secrets/tls",
[[- else ]]
"--address=127.0.0.1:9000",
[[- end ]]
]
pids_limit = "1000"
}
env {
MINIO_BROWSER_REDIRECT_URL = "[[ $c.console.public_url ]]"
[[- if not (has $c.env "MINIO_VOLUMES") ]]
MINIO_VOLUMES = "[[- if gt $c.count 1 -]]https://minio-{0...[[ sub $c.count 1 ]]}.[[ .instance ]]-cluster[[ .consul.suffix ]].service.[[ .consul.domain ]]:[[ $c.api_port ]][[ end ]][[ $c.volumes.data.destination ]]/storage"
[[- end ]]
MINIO_PROMETHEUS_AUTH_TYPE = "public"
[[- if gt $c.count 1 ]]
MINIO_CA = "/local/minio.ca.pem"
MINIO_CERT_BUNDLE = "/secrets/minio.bundle.pem"
MINIO_CERTS_DIR = "/secrets/tls"
[[- end ]]
}
[[ template "common/file_env" $c ]]
[[ template "common/artifacts" $c ]]
[[ template "common/vault.policies" $c ]]
[[- if gt $c.count 1 ]]
template {
data = <<_EOT
{{- with pkiCert "[[ $.vault.pki.path ]]/issue/minio"
(printf "common_name=minio-%s.[[ $.instance ]]-cluster[[ $.consul.suffix ]].service.[[ $.consul.domain ]]" (env "NOMAD_ALLOC_INDEX"))
(printf "alt_name=minio-%s.[[ $.instance ]][[ $.consul.suffix ]].service.[[ $.consul.domain ]],[[ $.instance ]][[ $.consul.suffix ]].service.[[ $.consul.domain ]]" (env "NOMAD_ALLOC_INDEX"))
(printf "ip_sans=%s" (env "NOMAD_HOST_IP_api"))
(printf "ttl=%dh" (env "NOMAD_ALLOC_INDEX" | parseInt | multiply 24 | add 72)) }}
{{ .Cert }}
{{ .Key }}
{{- end -}}
_EOT
destination = "/secrets/minio.bundle.pem"
uid = [[ 9000 | add $c.docker.userns.uid_shift ]]
gid = [[ 9000 | add $c.docker.userns.gid_shift ]]
perms = 400
change_mode = "script"
change_script {
command = "/entrypoint.d/10-split-cert"
}
}
# CA certificate chains
template {
data = <<_EOT
{{- with secret "[[ $c.vault.pki.path ]]/cert/ca_chain" }}
{{ .Data.ca_chain }}
{{- end }}
_EOT
destination = "local/minio.ca.pem"
change_script {
command = "/entrypoint.d/10-split-cert"
}
}
[[- end ]]
[[ template "common/volumes_mount" $c ]]
[[ template "common/resources" $c ]]
}
}
}
Reference in New Issue View Git Blame Copy Permalink