More work on ldap2pg integration
This commit is contained in:
parent
2a513c06c5
commit
f13ccfbaa5
|
@ -2,7 +2,7 @@ Kind = "service-intentions"
|
|||
Name = "[[ .pg.job_name ]][[ .env.suffix ]]"
|
||||
Sources = [
|
||||
{
|
||||
Name = "[[ .pg.job_name ]]-manager[[ .env.suffix ]]"
|
||||
Name = "[[ .pg.job_name ]]-ldap2pg[[ .env.suffix ]]"
|
||||
Action = "allow"
|
||||
}
|
||||
]
|
||||
|
|
2
deps/common
vendored
2
deps/common
vendored
|
@ -1 +1 @@
|
|||
Subproject commit 54d69c4b349be1688c31a161cf0591bfc1bf29fd
|
||||
Subproject commit 09df4b67f712e4d213118e008eb28b6da89b6c8d
|
|
@ -15,10 +15,16 @@ RUN set -eux &&\
|
|||
FROM [[ .docker.repo ]][[ .docker.base_images.alpine.image ]]
|
||||
MAINTAINER [[ .docker.maintainer ]]
|
||||
|
||||
ENV PGHOST=localhost \
|
||||
PGPORT=5432 \
|
||||
PGUSER=postgres \
|
||||
LDAP2PG_MODE=dry \
|
||||
LDAP2PG_CRON=
|
||||
|
||||
COPY --from=ldap2pg /tmp/ldap2pg /usr/local/bin/ldap2pg
|
||||
RUN set -eux &&\
|
||||
apk --no-cache upgrade &&\
|
||||
apk --no-cache add postgresql15-client ca-certificates
|
||||
apk --no-cache add postgresql15-client ca-certificates supercronic
|
||||
COPY root/ /
|
||||
|
||||
CMD ["pgman"]
|
||||
CMD ["run.sh"]
|
|
@ -1,7 +1,6 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -x
|
||||
|
||||
# Create DB
|
||||
for IDX in $(printenv | grep -E '^PG_DB_([0-9]+)=' | sed -E 's/^PG_DB_([0-9]+)=.*/\1/'); do
|
||||
DB_NAME=$(printenv PG_DB_${IDX})
|
||||
echo "Found DB ${DB_NAME} to create"
|
||||
|
@ -23,6 +22,7 @@ for IDX in $(printenv | grep -E '^PG_DB_([0-9]+)=' | sed -E 's/^PG_DB_([0-9]+)=.
|
|||
${CMD} || echo $?
|
||||
done
|
||||
|
||||
# Set permissions
|
||||
if [ -e "${LDAP2PG_CONFIG}" ]; then
|
||||
if [ "${LDAP2PG_MODE}" = "dry" ]; then
|
||||
echo "Running ldap2pg in dry mode"
|
||||
|
@ -31,4 +31,9 @@ if [ -e "${LDAP2PG_CONFIG}" ]; then
|
|||
echo "Applying privileges with ldap2pg"
|
||||
ldap2pg --real --config ${LDAP2PG_CONFIG}
|
||||
fi
|
||||
# If LDAP2PG_CRON is defined, run supercronic
|
||||
if [ -n "${LDAP2PG_CRON}" ]; then
|
||||
echo "${LDAP2PG_CRON} ldap2pg --real --config ${LDAP2PG_CONFIG}" > /dev/shm/cron
|
||||
supercronic /dev/shm/cron
|
||||
fi
|
||||
fi
|
18
ldap2pg.nomad.hcl
Normal file
18
ldap2pg.nomad.hcl
Normal file
|
@ -0,0 +1,18 @@
|
|||
job "[[ .pg.job_name ]]-ldap2pg[[ .env.suffix ]]" {
|
||||
|
||||
type = "batch"
|
||||
|
||||
[[ template "common/job_start.tpl" . ]]
|
||||
|
||||
meta {
|
||||
# Force job to run each time
|
||||
run = "${uuidv4()}"
|
||||
}
|
||||
|
||||
[[ template "postgres/group.ldap2pg.tpl" merge (dict "job_type" "batch") . ]]
|
||||
}
|
||||
|
||||
variable "mode" {
|
||||
type = string
|
||||
default = "dry"
|
||||
}
|
|
@ -1,89 +0,0 @@
|
|||
job "[[ .pg.job_name ]]-manager[[ .env.suffix ]]" {
|
||||
|
||||
type = "batch"
|
||||
|
||||
[[ template "common/job_start.tpl" . ]]
|
||||
|
||||
meta {
|
||||
# Force job to run each time
|
||||
run = "${uuidv4()}"
|
||||
}
|
||||
|
||||
group "pgman" {
|
||||
network {
|
||||
mode = "bridge"
|
||||
}
|
||||
|
||||
service {
|
||||
name = "[[ .pg.job_name ]]-manager[[ .env.suffix ]]"
|
||||
[[ template "common/connect.tpl" dict "ctx" . "config" .pg.pgman ]]
|
||||
}
|
||||
|
||||
task "pgman" {
|
||||
driver = [[ .pg.pgman.driver | toJSON ]]
|
||||
|
||||
config {
|
||||
image = [[ .pg.pgman.image | toJSON ]]
|
||||
readonly_rootfs = true
|
||||
pids_limit = 20
|
||||
}
|
||||
|
||||
vault {
|
||||
policies = ["[[ .pg.job_name ]][[ .env.suffix ]]"]
|
||||
env = false
|
||||
disable_file = true
|
||||
}
|
||||
|
||||
env {
|
||||
[[- range $idx, $db := .pg.pgman.databases ]]
|
||||
PG_DB_[[ $idx ]] = [[ $db.name | toJSON ]]
|
||||
[[- if has $db "owner" ]]
|
||||
PG_DB_[[ $idx ]]_OWNER = [[ $db.owner | toJSON ]]
|
||||
[[- end ]]
|
||||
[[- if has $db "encoding" ]]
|
||||
PG_DB_[[ $idx ]]_ENCODING = [[ $db.encoding | toJSON ]]
|
||||
[[- end ]]
|
||||
[[- if has $db "locale" ]]
|
||||
PG_DB_[[ $idx ]]_OWNER = [[ $db.locale | toJSON ]]
|
||||
[[- end ]]
|
||||
[[- end ]]
|
||||
LDAP2PG_CONFIG = "/secrets/ldap2pg.yml"
|
||||
LDAP2PG_MODE = var.ldap2pg
|
||||
}
|
||||
|
||||
template {
|
||||
data =<<_EOF
|
||||
PGHOST=localhost
|
||||
PGPORT=5432
|
||||
PGUSER=postgres
|
||||
PGPASSWORD={{ with secret "[[ .vault.prefix ]]kv/service/[[ .pg.job_name ]]" }}{{ .Data.data.pg_pwd }}{{ end }}
|
||||
_EOF
|
||||
destination = "secrets/env"
|
||||
uid = 100000
|
||||
gid = 100000
|
||||
perms = 0400
|
||||
env = true
|
||||
}
|
||||
|
||||
template {
|
||||
data =<<_EOF
|
||||
[[ (merge .pg.pgman.ldap2pg.config ((tmpl.Exec "postgres/ldap2pg.yml.tpl" .) | yaml)) | toYAML ]]
|
||||
|
||||
rules:
|
||||
[[ (coll.Slice ((tmpl.Exec "postgres/ldap2pg_rules.yml.tpl" .) | yaml).rules (.pg.pgman.ldap2pg.rules)) | flatten | toYAML | strings.Indent 2]]
|
||||
_EOF
|
||||
destination = "secrets/ldap2pg.yml"
|
||||
uid = 100000
|
||||
gid = 100000
|
||||
perms = 0400
|
||||
}
|
||||
|
||||
[[ template "common/resources.tpl" .pg.pgman.resources ]]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
variable "ldap2pg" {
|
||||
type = string
|
||||
default = "dry"
|
||||
}
|
|
@ -2,7 +2,7 @@ job [[ .pg.job_name | toJSON ]] {
|
|||
|
||||
[[ template "common/job_start.tpl" . ]]
|
||||
|
||||
group "postgres" {
|
||||
group "server" {
|
||||
count = [[ .pg.server.count ]]
|
||||
network {
|
||||
mode = "bridge"
|
||||
|
@ -16,6 +16,21 @@ job [[ .pg.job_name | toJSON ]] {
|
|||
port = 5432
|
||||
[[ template "common/prometheus_meta.tpl" dict "ctx" . ]]
|
||||
[[ template "common/connect.tpl" dict "ctx" . "config" .pg ]]
|
||||
tags = [
|
||||
"alloc=${NOMAD_ALLOC_INDEX}",
|
||||
[[- if eq .pg.server.count 1 ]]
|
||||
"master",
|
||||
[[- end ]]
|
||||
]
|
||||
|
||||
check {
|
||||
name = "ready"
|
||||
type = "script"
|
||||
interval = "5s"
|
||||
timeout = "5s"
|
||||
task = "postgres"
|
||||
command = "pg_isready"
|
||||
}
|
||||
}
|
||||
|
||||
volume "postgres" {
|
||||
|
@ -117,26 +132,7 @@ job [[ .pg.job_name | toJSON ]] {
|
|||
[[- end ]]
|
||||
}
|
||||
|
||||
group "pgman" {
|
||||
network {
|
||||
mode = "bridge"
|
||||
}
|
||||
|
||||
service {
|
||||
name = "[[ .pg.job_name ]]-manager[[ .env.suffix ]]"
|
||||
[[ template "common/connect.tpl" dict "ctx" . "config" .pg.pgman ]]
|
||||
}
|
||||
|
||||
task "pgman" {
|
||||
driver = [[ .pg.pgman.driver | toJSON ]]
|
||||
|
||||
config {
|
||||
image = [[ .pg.pgman.image | toJSON ]]
|
||||
readonly_rootfs = true
|
||||
pids_limit = 20
|
||||
}
|
||||
|
||||
[[ template "common/resources.tpl" .pg.pgman.resources ]]
|
||||
}
|
||||
}
|
||||
[[- if and (has .pg.ldap2pg "cron") (ne .pg.ldap2pg.cron "") ]]
|
||||
[[ template "postgres/group.ldap2pg.tpl" . ]]
|
||||
[[- end ]]
|
||||
}
|
||||
|
|
|
@ -1,20 +1,24 @@
|
|||
# vim: syntax=hcl
|
||||
|
||||
group "pgman" {
|
||||
group "ldap2pg" {
|
||||
network {
|
||||
mode = "bridge"
|
||||
}
|
||||
|
||||
service {
|
||||
name = "[[ .pg.job_name ]]-manager[[ .env.suffix ]]"
|
||||
[[ template "common/connect.tpl" dict "ctx" . "config" .pg.pgman ]]
|
||||
name = "[[ .pg.job_name ]]-ldap2pg[[ .env.suffix ]]"
|
||||
[[ template "common/connect.tpl" dict "ctx" . "config" .pg.ldap2pg ]]
|
||||
}
|
||||
|
||||
task "pgman" {
|
||||
driver = [[ .pg.pgman.driver | toJSON ]]
|
||||
[[ template "common/task.wait_for.tpl" dict
|
||||
"ctx" .
|
||||
"wait_for" (coll.Slice (dict "service" (printf "master.%s%s.service.%s" .pg.job_name .env.suffix .consul.domain))) ]]
|
||||
|
||||
task "ldap2pg" {
|
||||
driver = [[ .pg.ldap2pg.driver | toJSON ]]
|
||||
|
||||
config {
|
||||
image = [[ .pg.pgman.image | toJSON ]]
|
||||
image = [[ .pg.ldap2pg.image | toJSON ]]
|
||||
readonly_rootfs = true
|
||||
pids_limit = 20
|
||||
}
|
||||
|
@ -26,7 +30,7 @@ group "pgman" {
|
|||
}
|
||||
|
||||
env {
|
||||
[[- range $idx, $db := .pg.pgman.databases ]]
|
||||
[[- range $idx, $db := .pg.ldap2pg.databases ]]
|
||||
PG_DB_[[ $idx ]] = [[ $db.name | toJSON ]]
|
||||
[[- if has $db "owner" ]]
|
||||
PG_DB_[[ $idx ]]_OWNER = [[ $db.owner | toJSON ]]
|
||||
|
@ -39,7 +43,12 @@ group "pgman" {
|
|||
[[- end ]]
|
||||
[[- end ]]
|
||||
LDAP2PG_CONFIG = "/secrets/ldap2pg.yml"
|
||||
LDAP2PG_MODE = var.ldap2pg
|
||||
[[- if and (has . "job_type") (eq .job_type "batch") ]]
|
||||
LDAP2PG_MODE = var.mode
|
||||
[[- else ]]
|
||||
LDAP2PG_MODE = [[ .pg.ldap2pg.mode | toJSON ]]
|
||||
LDAP2PG_CRON = [[ .pg.ldap2pg.cron | toJSON ]]
|
||||
[[- end ]]
|
||||
}
|
||||
|
||||
template {
|
||||
|
@ -58,10 +67,10 @@ _EOF
|
|||
|
||||
template {
|
||||
data =<<_EOF
|
||||
[[ (merge .pg.pgman.ldap2pg.config ((tmpl.Exec "postgres/ldap2pg.yml.tpl" .) | yaml)) | toYAML ]]
|
||||
[[ (merge .pg.ldap2pg.config ((tmpl.Exec "postgres/ldap2pg.yml.tpl" .) | yaml)) | toYAML ]]
|
||||
|
||||
rules:
|
||||
[[ (coll.Slice ((tmpl.Exec "postgres/ldap2pg_rules.yml.tpl" .) | yaml).rules (.pg.pgman.ldap2pg.rules)) | flatten | toYAML | strings.Indent 2]]
|
||||
[[ (coll.Slice ((tmpl.Exec "postgres/ldap2pg_rules.yml.tpl" .) | yaml).rules (.pg.ldap2pg.rules)) | flatten | toYAML | strings.Indent 2]]
|
||||
_EOF
|
||||
destination = "secrets/ldap2pg.yml"
|
||||
uid = 100000
|
||||
|
@ -69,7 +78,7 @@ _EOF
|
|||
perms = 0400
|
||||
}
|
||||
|
||||
[[ template "common/resources.tpl" .pg.pgman.resources ]]
|
||||
[[ template "common/resources.tpl" .pg.ldap2pg.resources ]]
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -31,8 +31,8 @@ pg:
|
|||
memory: 256
|
||||
env: {}
|
||||
|
||||
pgman:
|
||||
image: danielberteaud/pgman:latest
|
||||
ldap2pg:
|
||||
image: danielberteaud/ldap2pg:latest
|
||||
driver: docker
|
||||
resources:
|
||||
cpu: 20
|
||||
|
@ -43,6 +43,7 @@ pg:
|
|||
- destination_name: postgres
|
||||
local_bind_port: 5432
|
||||
databases: []
|
||||
ldap2pg:
|
||||
config: {}
|
||||
rules: []
|
||||
cron: 46 * * * *
|
||||
mode: dry
|
||||
config: {}
|
||||
rules: []
|
||||
|
|
Loading…
Reference in New Issue
Block a user