Cleanups
This commit is contained in:
parent
f65f15390f
commit
a92ecda6ce
|
@ -1,8 +1,8 @@
|
|||
key_prefix "service/[[ .instance ]]" {
|
||||
key_prefix "[[ .consul.kv.root ]]service/[[ .instance ]]" {
|
||||
policy = "read"
|
||||
}
|
||||
|
||||
key_prefix "common/ip" {
|
||||
key_prefix "[[ .consul.kv.root ]]common/ip" {
|
||||
policy = "read"
|
||||
}
|
||||
|
||||
|
|
|
@ -1,19 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -eu
|
||||
|
||||
|
||||
|
||||
if [ "traefik" != "traefik" ]; then
|
||||
for DIR in vault consul nomad; do
|
||||
if [ -d output/${DIR} ]; then
|
||||
for FILE in $(find output/${DIR} -name "*traefik*.hcl" -type f); do
|
||||
NEW_FILE=$(echo "${FILE}" | sed -E "s/traefik/traefik/g")
|
||||
mv "${FILE}" "${NEW_FILE}"
|
||||
done
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
|
||||
|
|
@ -76,10 +76,10 @@ job "traefik" {
|
|||
|
||||
"traefik.enable=true",
|
||||
"traefik.http.routers.traefik-api.entrypoints=https",
|
||||
"traefik.http.middlewares.traefik-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
||||
"traefik.http.middlewares.csp-traefik-api.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
||||
"traefik.http.middlewares.traefik-path.replacepathregex.regex=^/dashboard/(.*)",
|
||||
"traefik.http.middlewares.traefik-path.replacepathregex.replacement=/dashboard/$${1}",
|
||||
"traefik.http.routers.traefik-api.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,traefik-path,inflight-std@file,hsts@file,compression@file,traefik-csp",
|
||||
"traefik.http.routers.traefik-api.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,traefik-path,inflight-std@file,hsts@file,compression@file,csp-traefik-api",
|
||||
|
||||
"traefik.http.routers.traefik-ping.rule=(Host(`traefik.example.org`) || HostRegexp(`(.+\\.)?traefik.service.consul`)) && Path(`/ping`) && Method(`GET`)",
|
||||
"traefik.http.routers.traefik-ping.service=ping@internal",
|
||||
|
@ -87,8 +87,8 @@ job "traefik" {
|
|||
"traefik.enable=true",
|
||||
"traefik.http.routers.traefik-ping.entrypoints=http,https",
|
||||
"traefik.http.routers.traefik-ping.priority=2000",
|
||||
"traefik.http.middlewares.traefik-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
||||
"traefik.http.routers.traefik-ping.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,traefik-csp",
|
||||
"traefik.http.middlewares.csp-traefik-ping.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
||||
"traefik.http.routers.traefik-ping.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-traefik-ping",
|
||||
|
||||
|
||||
"traefik-${NOMAD_ALLOC_INDEX}"
|
||||
|
@ -177,16 +177,16 @@ _EOF
|
|||
data = <<_EOF
|
||||
---
|
||||
|
||||
{{ if gt (len (secrets "kv/service/traefik/basicauth/")) 0 }}
|
||||
{{ if gt (len (secrets "/kv/service/traefik/basicauth/")) 0 }}
|
||||
http:
|
||||
middlewares:
|
||||
{{- range secrets "kv/service/traefik/basicauth/" }}
|
||||
{{- range secrets "/kv/service/traefik/basicauth/" }}
|
||||
basicauth-{{ . }}:
|
||||
basicAuth:
|
||||
realm: {{ . }}
|
||||
removeheader: true
|
||||
users:
|
||||
{{- with secret (printf "kv/data/service/traefik/basicauth/%s" .) }}
|
||||
{{- with secret (printf "/kv/data/service/traefik/basicauth/%s" .) }}
|
||||
{{- range $k, $v := .Data.data }}
|
||||
- {{ $k }}:{{ if $v | regexMatch "^\\$2y\\$" }}{{ $v }}{{ else }}{{ sprig_bcrypt $v }}{{ end }}
|
||||
{{- end }}
|
||||
|
@ -223,12 +223,12 @@ _EOF
|
|||
data = <<_EOF
|
||||
---
|
||||
|
||||
{{- if ne 0 (len (secrets "kv/service/traefik/certs/")) }}
|
||||
{{- if ne 0 (len (secrets "/kv/service/traefik/certs/")) }}
|
||||
tls:
|
||||
certificates:
|
||||
{{- range secrets "kv/service/traefik/certs/" }}
|
||||
{{- range secrets "/kv/service/traefik/certs/" }}
|
||||
{{- $cn := . }}
|
||||
{{- with secret (printf "kv/service/traefik/certs/%s" $cn) }}
|
||||
{{- with secret (printf "/kv/service/traefik/certs/%s" $cn) }}
|
||||
# {{ $cn }}
|
||||
- certFile: |-
|
||||
{{ .Data.data.cert | replaceAll "\n\n" "\n" | indent 8 }}
|
||||
|
@ -418,7 +418,7 @@ http:
|
|||
forward-proto:
|
||||
headers:
|
||||
customRequestHeaders:
|
||||
X-Fowarded-Proto: https
|
||||
X-Forwarded-Proto: https
|
||||
|
||||
_EOF
|
||||
destination = "secrets/config/proxy.yml"
|
||||
|
|
|
@ -1,16 +1,16 @@
|
|||
# Get a consul token
|
||||
path "consul/creds/traefik" {
|
||||
path "/consul/creds/traefik" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
# Read traefik specific settings
|
||||
path "kv/data/service/traefik" {
|
||||
path "/kv/data/service/traefik" {
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
|
||||
# LIst and read traefik basic auth &cie
|
||||
path "kv/metadata/service/traefik/*" {
|
||||
# List and read traefik basic auth &cie
|
||||
path "/kv/metadata/service/traefik/*" {
|
||||
capabilities = ["list","read"]
|
||||
}
|
||||
path "kv/data/service/traefik/*" {
|
||||
path "/kv/data/service/traefik/*" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
[[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "traefik" .instance) ]]
|
|
@ -1,15 +1,15 @@
|
|||
---
|
||||
|
||||
{{ if gt (len (secrets "[[ .vault.prefix ]]kv/service/traefik/basicauth/")) 0 }}
|
||||
{{ if gt (len (secrets "[[ .vault.root ]]kv/service/[[ .instance ]]/basicauth/")) 0 }}
|
||||
http:
|
||||
middlewares:
|
||||
{{- range secrets "[[ .vault.prefix ]]kv/service/traefik/basicauth/" }}
|
||||
{{- range secrets "[[ .vault.root ]]kv/service/[[ .instance ]]/basicauth/" }}
|
||||
basicauth-{{ . }}:
|
||||
basicAuth:
|
||||
realm: {{ . }}
|
||||
removeheader: true
|
||||
users:
|
||||
{{- with secret (printf "[[ .vault.prefix ]]kv/data/service/traefik/basicauth/%s" .) }}
|
||||
{{- with secret (printf "[[ .vault.root ]]kv/data/service/[[ .instance ]]/basicauth/%s" .) }}
|
||||
{{- range $k, $v := .Data.data }}
|
||||
- {{ $k }}:{{ if $v | regexMatch "^\\$2y\\$" }}{{ $v }}{{ else }}{{ sprig_bcrypt $v }}{{ end }}
|
||||
{{- end }}
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
---
|
||||
|
||||
{{- if ne 0 (len (secrets "[[ .vault.prefix ]]kv/service/traefik/certs/")) }}
|
||||
{{- if ne 0 (len (secrets "[[ .vault.root ]]kv/service/traefik/certs/")) }}
|
||||
tls:
|
||||
certificates:
|
||||
{{- range secrets "[[ .vault.prefix ]]kv/service/traefik/certs/" }}
|
||||
{{- range secrets "[[ .vault.root ]]kv/service/traefik/certs/" }}
|
||||
{{- $cn := . }}
|
||||
{{- with secret (printf "[[ .vault.prefix ]]kv/service/traefik/certs/%s" $cn) }}
|
||||
{{- with secret (printf "[[ .vault.root ]]kv/service/traefik/certs/%s" $cn) }}
|
||||
# {{ $cn }}
|
||||
- certFile: |-
|
||||
{{ .Data.data.cert | replaceAll "\n\n" "\n" | indent 8 }}
|
||||
|
|
|
@ -5,4 +5,4 @@ http:
|
|||
forward-proto:
|
||||
headers:
|
||||
customRequestHeaders:
|
||||
X-Fowarded-Proto: https
|
||||
X-Forwarded-Proto: https
|
||||
|
|
|
@ -1,16 +1,16 @@
|
|||
# Get a consul token
|
||||
path "consul/creds/traefik" {
|
||||
path "[[ .vault.root ]]consul/creds/[[ .instance ]]" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
# Read traefik specific settings
|
||||
path "[[ .vault.prefix ]]kv/data/service/traefik" {
|
||||
path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
|
||||
# LIst and read traefik basic auth &cie
|
||||
path "[[ .vault.prefix ]]kv/metadata/service/traefik/*" {
|
||||
# List and read traefik basic auth &cie
|
||||
path "[[ .vault.root ]]kv/metadata/service/[[ .instance ]]/*" {
|
||||
capabilities = ["list","read"]
|
||||
}
|
||||
path "[[ .vault.prefix ]]kv/data/service/traefik/*" {
|
||||
path "[[ .vault.root ]]kv/data/service/[[ .instance ]]/*" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue