nomad/postgres
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

More work on ldap2pg integration

Browse Source
This commit is contained in:
Daniel Berteaud 2023-09-11 23:54:10 +02:00
parent 2a513c06c5
commit f13ccfbaa5
9 changed files with 80 additions and 134 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
consul/config/service-intentions/postgres.hcl
View File

@ -2,7 +2,7 @@ Kind = "service-intentions"
Name = "[[ .pg.job_name ]][[ .env.suffix ]]"
Sources = [
{
Name = "[[ .pg.job_name ]]-manager[[ .env.suffix ]]"
Name = "[[ .pg.job_name ]]-ldap2pg[[ .env.suffix ]]"
Action = "allow"
}
]

2
deps/common vendored

@ -1 +1 @@
Subproject commit 54d69c4b349be1688c31a161cf0591bfc1bf29fd
Subproject commit 09df4b67f712e4d213118e008eb28b6da89b6c8d

10
images/pgman/Dockerfile → images/ldap2pg/Dockerfile
View File

@ -15,10 +15,16 @@ RUN set -eux &&\
FROM [[ .docker.repo ]][[ .docker.base_images.alpine.image ]]
MAINTAINER [[ .docker.maintainer ]]
ENV PGHOST=localhost \
PGPORT=5432 \
PGUSER=postgres \
LDAP2PG_MODE=dry \
LDAP2PG_CRON=
COPY --from=ldap2pg /tmp/ldap2pg /usr/local/bin/ldap2pg
RUN set -eux &&\
apk --no-cache upgrade &&\
apk --no-cache add postgresql15-client ca-certificates
apk --no-cache add postgresql15-client ca-certificates supercronic
COPY root/ /
CMD ["pgman"]
CMD ["run.sh"]

9
images/pgman/root/usr/local/bin/pgman → images/ldap2pg/root/usr/local/bin/run.sh
View File

@ -1,7 +1,6 @@
#!/bin/sh
set -x
# Create DB
for IDX in $(printenv | grep -E '^PG_DB_([0-9]+)=' | sed -E 's/^PG_DB_([0-9]+)=.*/\1/'); do
DB_NAME=$(printenv PG_DB_${IDX})
echo "Found DB ${DB_NAME} to create"
@ -23,6 +22,7 @@ for IDX in $(printenv | grep -E '^PG_DB_([0-9]+)=' | sed -E 's/^PG_DB_([0-9]+)=.
${CMD} || echo $?
done
# Set permissions
if [ -e "${LDAP2PG_CONFIG}" ]; then
if [ "${LDAP2PG_MODE}" = "dry" ]; then
echo "Running ldap2pg in dry mode"
@ -31,4 +31,9 @@ if [ -e "${LDAP2PG_CONFIG}" ]; then
echo "Applying privileges with ldap2pg"
ldap2pg --real --config ${LDAP2PG_CONFIG}
fi
# If LDAP2PG_CRON is defined, run supercronic
if [ -n "${LDAP2PG_CRON}" ]; then
echo "${LDAP2PG_CRON} ldap2pg --real --config ${LDAP2PG_CONFIG}" > /dev/shm/cron
supercronic /dev/shm/cron
fi
fi

18
ldap2pg.nomad.hcl Normal file
View File

@ -0,0 +1,18 @@
job "[[ .pg.job_name ]]-ldap2pg[[ .env.suffix ]]" {
type = "batch"
[[ template "common/job_start.tpl" . ]]
meta {
# Force job to run each time
run = "${uuidv4()}"
}
[[ template "postgres/group.ldap2pg.tpl" merge (dict "job_type" "batch") . ]]
}
variable "mode" {
type = string
default = "dry"
}

89
pgman.nomad.hcl
View File

@ -1,89 +0,0 @@
job "[[ .pg.job_name ]]-manager[[ .env.suffix ]]" {
type = "batch"
[[ template "common/job_start.tpl" . ]]
meta {
# Force job to run each time
run = "${uuidv4()}"
}
group "pgman" {
network {
mode = "bridge"
}
service {
name = "[[ .pg.job_name ]]-manager[[ .env.suffix ]]"
[[ template "common/connect.tpl" dict "ctx" . "config" .pg.pgman ]]
}
task "pgman" {
driver = [[ .pg.pgman.driver | toJSON ]]
config {
image = [[ .pg.pgman.image | toJSON ]]
readonly_rootfs = true
pids_limit = 20
}
vault {
policies = ["[[ .pg.job_name ]][[ .env.suffix ]]"]
env = false
disable_file = true
}
env {
[[- range $idx, $db := .pg.pgman.databases ]]
PG_DB_[[ $idx ]] = [[ $db.name | toJSON ]]
[[- if has $db "owner" ]]
PG_DB_[[ $idx ]]_OWNER = [[ $db.owner | toJSON ]]
[[- end ]]
[[- if has $db "encoding" ]]
PG_DB_[[ $idx ]]_ENCODING = [[ $db.encoding | toJSON ]]
[[- end ]]
[[- if has $db "locale" ]]
PG_DB_[[ $idx ]]_OWNER = [[ $db.locale | toJSON ]]
[[- end ]]
[[- end ]]
LDAP2PG_CONFIG = "/secrets/ldap2pg.yml"
LDAP2PG_MODE = var.ldap2pg
}
template {
data =<<_EOF
PGHOST=localhost
PGPORT=5432
PGUSER=postgres
PGPASSWORD={{ with secret "[[ .vault.prefix ]]kv/service/[[ .pg.job_name ]]" }}{{ .Data.data.pg_pwd }}{{ end }}
_EOF
destination = "secrets/env"
uid = 100000
gid = 100000
perms = 0400
env = true
}
template {
data =<<_EOF
[[ (merge .pg.pgman.ldap2pg.config ((tmpl.Exec "postgres/ldap2pg.yml.tpl" .) | yaml)) | toYAML ]]
rules:
[[ (coll.Slice ((tmpl.Exec "postgres/ldap2pg_rules.yml.tpl" .) | yaml).rules (.pg.pgman.ldap2pg.rules)) | flatten | toYAML | strings.Indent 2]]
_EOF
destination = "secrets/ldap2pg.yml"
uid = 100000
gid = 100000
perms = 0400
}
[[ template "common/resources.tpl" .pg.pgman.resources ]]
}
}
}
variable "ldap2pg" {
type = string
default = "dry"
}

42
postgres.nomad.hcl
View File

@ -2,7 +2,7 @@ job [[ .pg.job_name | toJSON ]] {
[[ template "common/job_start.tpl" . ]]
group "postgres" {
group "server" {
count = [[ .pg.server.count ]]
network {
mode = "bridge"
@ -16,6 +16,21 @@ job [[ .pg.job_name | toJSON ]] {
port = 5432
[[ template "common/prometheus_meta.tpl" dict "ctx" . ]]
[[ template "common/connect.tpl" dict "ctx" . "config" .pg ]]
tags = [
"alloc=${NOMAD_ALLOC_INDEX}",
[[- if eq .pg.server.count 1 ]]
"master",
[[- end ]]
]
check {
name = "ready"
type = "script"
interval = "5s"
timeout = "5s"
task = "postgres"
command = "pg_isready"
}
}
volume "postgres" {
@ -117,26 +132,7 @@ job [[ .pg.job_name | toJSON ]] {
[[- end ]]
}
group "pgman" {
network {
mode = "bridge"
}
service {
name = "[[ .pg.job_name ]]-manager[[ .env.suffix ]]"
[[ template "common/connect.tpl" dict "ctx" . "config" .pg.pgman ]]
}
task "pgman" {
driver = [[ .pg.pgman.driver | toJSON ]]
config {
image = [[ .pg.pgman.image | toJSON ]]
readonly_rootfs = true
pids_limit = 20
}
[[ template "common/resources.tpl" .pg.pgman.resources ]]
}
}
[[- if and (has .pg.ldap2pg "cron") (ne .pg.ldap2pg.cron "") ]]
[[ template "postgres/group.ldap2pg.tpl" . ]]
[[- end ]]
}

31
templates/group.ldap2pg.tpl
View File

@ -1,20 +1,24 @@
# vim: syntax=hcl
group "pgman" {
group "ldap2pg" {
network {
mode = "bridge"
}
service {
name = "[[ .pg.job_name ]]-manager[[ .env.suffix ]]"
[[ template "common/connect.tpl" dict "ctx" . "config" .pg.pgman ]]
name = "[[ .pg.job_name ]]-ldap2pg[[ .env.suffix ]]"
[[ template "common/connect.tpl" dict "ctx" . "config" .pg.ldap2pg ]]
}
task "pgman" {
driver = [[ .pg.pgman.driver | toJSON ]]
[[ template "common/task.wait_for.tpl" dict
"ctx" .
"wait_for" (coll.Slice (dict "service" (printf "master.%s%s.service.%s" .pg.job_name .env.suffix .consul.domain))) ]]
task "ldap2pg" {
driver = [[ .pg.ldap2pg.driver | toJSON ]]
config {
image = [[ .pg.pgman.image | toJSON ]]
image = [[ .pg.ldap2pg.image | toJSON ]]
readonly_rootfs = true
pids_limit = 20
}
@ -26,7 +30,7 @@ group "pgman" {
}
env {
[[- range $idx, $db := .pg.pgman.databases ]]
[[- range $idx, $db := .pg.ldap2pg.databases ]]
PG_DB_[[ $idx ]] = [[ $db.name | toJSON ]]
[[- if has $db "owner" ]]
PG_DB_[[ $idx ]]_OWNER = [[ $db.owner | toJSON ]]
@ -39,7 +43,12 @@ group "pgman" {
[[- end ]]
[[- end ]]
LDAP2PG_CONFIG = "/secrets/ldap2pg.yml"
LDAP2PG_MODE = var.ldap2pg
[[- if and (has . "job_type") (eq .job_type "batch") ]]
LDAP2PG_MODE = var.mode
[[- else ]]
LDAP2PG_MODE = [[ .pg.ldap2pg.mode | toJSON ]]
LDAP2PG_CRON = [[ .pg.ldap2pg.cron | toJSON ]]
[[- end ]]
}
template {
@ -58,10 +67,10 @@ _EOF
template {
data =<<_EOF
[[ (merge .pg.pgman.ldap2pg.config ((tmpl.Exec "postgres/ldap2pg.yml.tpl" .) | yaml)) | toYAML ]]
[[ (merge .pg.ldap2pg.config ((tmpl.Exec "postgres/ldap2pg.yml.tpl" .) | yaml)) | toYAML ]]
rules:
[[ (coll.Slice ((tmpl.Exec "postgres/ldap2pg_rules.yml.tpl" .) | yaml).rules (.pg.pgman.ldap2pg.rules)) | flatten | toYAML | strings.Indent 2]]
[[ (coll.Slice ((tmpl.Exec "postgres/ldap2pg_rules.yml.tpl" .) | yaml).rules (.pg.ldap2pg.rules)) | flatten | toYAML | strings.Indent 2]]
_EOF
destination = "secrets/ldap2pg.yml"
uid = 100000
@ -69,7 +78,7 @@ _EOF
perms = 0400
}
[[ template "common/resources.tpl" .pg.pgman.resources ]]
[[ template "common/resources.tpl" .pg.ldap2pg.resources ]]
}
}

11
variables.yml
View File

@ -31,8 +31,8 @@ pg:
memory: 256
env: {}
pgman:
image: danielberteaud/pgman:latest
ldap2pg:
image: danielberteaud/ldap2pg:latest
driver: docker
resources:
cpu: 20
@ -43,6 +43,7 @@ pg:
- destination_name: postgres
local_bind_port: 5432
databases: []
ldap2pg:
config: {}
rules: []
cron: 46 * * * *
mode: dry
config: {}
rules: []