Cleanup, use supercronic instead of nomad cron, and quote passwords in

env
2023-10-31 14:39:26 +01:00 · 2023-10-31 14:39:26 +01:00 · 7e7eb131b4
commit 7e7eb131b4
parent 269b3213c4
2 changed files with 20 additions and 21 deletions
--- a/manage.nomad.hcl
+++ b/manage.nomad.hcl
@ -1,16 +1,12 @@
 [[ $c := merge .pg.manage . -]]

-job "[[ .pg.instance ]]-manage[[ .consul.suffix ]]" {
+job "[[ .pg.instance ]]-manage[[ $c.consul.suffix ]]" {

-  type = "batch"
-[[- if and (has .pg.manage "cron") (ne .pg.manage.cron "") ]]
-  periodic {
-    crons           = [
-      [[ .pg.manage.cron | toJSON ]]
-    ]
-    prohibit_overlap = true
-  }
+[[- if and (has $c "cron") (ne $c.cron "") ]]
+  type = "service"
 [[- else ]]
+  type = "batch"
+
  meta {
    # Force job to run each time
    run = "${uuidv4()}"
@ -29,29 +25,29 @@ job "[[ .pg.instance ]]-manage[[ .consul.suffix ]]" {
    }

    service {
-      name = "[[ .pg.instance ]]-manage[[ .consul.suffix ]]"
+      name = "[[ .pg.instance ]]-manage[[ $c.consul.suffix ]]"
 [[ template "common/connect.tpl" $c ]]
    }

 [[ template "common/task.wait_for.tpl" $c ]]

    task "ldap2pg" {
-      driver = [[ .nomad.driver | toJSON ]]
+      driver = [[ $c.nomad.driver | toJSON ]]

      config {
-        image           = [[ .pg.manage.image | toJSON ]]
+        image           = [[ $c.image | toJSON ]]
        readonly_rootfs = true
        pids_limit      = 20
      }

      vault {
-        policies     = ["[[ .pg.instance ]][[ .consul.suffix ]]"]
+        policies     = ["[[ .pg.instance ]][[ $c.consul.suffix ]]"]
        env          = false
        disable_file = true
      }

      env {
-[[- range $idx, $db := .pg.manage.databases ]]
+[[- range $idx, $db := $c.databases ]]
        PG_DB_[[ $idx ]] = [[ $db.name | toJSON ]]
  [[- if has $db "owner" ]]
        PG_DB_[[ $idx ]]_OWNER = [[ $db.owner | toJSON ]]
@ -64,17 +60,20 @@ job "[[ .pg.instance ]]-manage[[ .consul.suffix ]]" {
  [[- end ]]
 [[- end ]]
        LDAP2PG_CONFIG = "/secrets/ldap2pg.yml"
-        LDAP2PG_MODE = [[ .pg.manage.mode | toJSON ]]
+        LDAP2PG_MODE = [[ $c.mode | toJSON ]]
+[[- if and (has $c "cron") (ne $c.cron "") ]]
+        LDAP2PG_CRON = [[ $c.cron | toJSON ]]
+[[- end ]]
      }

-[[ template "common/file_env.tpl" .pg.manage.env ]]
+[[ template "common/file_env.tpl" $c.env ]]

      template {
        data =<<_EOF
 PGHOST=localhost
 PGPORT=5432
 PGUSER=postgres
-PGPASSWORD={{ with secret "[[ .vault.prefix ]]kv/service/[[ .pg.instance ]]" }}{{ .Data.data.pg_pwd }}{{ end }}
+PGPASSWORD={{ with secret "[[ .vault.prefix ]]kv/service/[[ .pg.instance ]]" }}{{ .Data.data.pg_pwd | sprig_squote }}{{ end }}
 _EOF
        destination = "secrets/pg-manage.env"
        uid = 100000
@ -85,10 +84,10 @@ _EOF

      template {
        data =<<_EOF
-[[ (merge .pg.manage.config .pg.manage.default_config) | toYAML ]]
+[[ (merge $c.config $c.default_config) | toYAML ]]

 rules:
-[[ (coll.Slice .pg.manage.rules .pg.manage.default_rules) | flatten | toYAML | strings.Indent 2]]
+[[ (coll.Slice $c.rules $c.default_rules) | flatten | toYAML | strings.Indent 2]]
 _EOF
        destination = "secrets/ldap2pg.yml"
        uid = 100000
@ -96,7 +95,7 @@ _EOF
        perms = 0400
      }

-[[ template "common/resources.tpl" .pg.manage.resources ]]
+[[ template "common/resources.tpl" $c.resources ]]
    }
  }
 }
--- a/postgres.nomad.hcl
+++ b/postgres.nomad.hcl
@ -372,7 +372,7 @@ _EOT
 PG_EXPORTER_AUTO_DISCOVER_DATABASES=true
 DATA_SOURCE_URI=127.0.0.1:5432/postgres
 DATA_SOURCE_USER=monitor
-DATA_SOURCE_PASS={{ with secret "[[ .vault.prefix ]]kv/service/[[ .pg.instance ]]" }}{{ .Data.data.monitor_pwd }}{{ end }}
+DATA_SOURCE_PASS={{ with secret "[[ .vault.prefix ]]kv/service/[[ .pg.instance ]]" }}{{ .Data.data.monitor_pwd | sprig_squote }}{{ end }}
 _EOT
        destination = "secrets/env"
        perms       = "0400"