nomad
/
traefik
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Cleanups

This commit is contained in:
Daniel Berteaud 2024-01-31 16:20:00 +01:00
parent f65f15390f
commit a92ecda6ce
9 changed files with 30 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
consul/policies/traefik.hcl
View File

@ -1,8 +1,8 @@
key_prefix "service/[[ .instance ]]" {
key_prefix "[[ .consul.kv.root ]]service/[[ .instance ]]" {
policy = "read"
}
key_prefix "common/ip" {
key_prefix "[[ .consul.kv.root ]]common/ip" {
policy = "read"
}

19
example/prep.d/rename_policies.sh
View File

@ -1,19 +0,0 @@
#!/bin/sh
set -eu
if [ "traefik" != "traefik" ]; then
for DIR in vault consul nomad; do
if [ -d output/${DIR} ]; then
for FILE in $(find output/${DIR} -name "*traefik*.hcl" -type f); do
NEW_FILE=$(echo "${FILE}" | sed -E "s/traefik/traefik/g")
mv "${FILE}" "${NEW_FILE}"
done
fi
done
fi

22
example/traefik.nomad.hcl
View File

@ -76,10 +76,10 @@ job "traefik" {
"traefik.enable=true",
"traefik.http.routers.traefik-api.entrypoints=https",
"traefik.http.middlewares.traefik-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
"traefik.http.middlewares.csp-traefik-api.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
"traefik.http.middlewares.traefik-path.replacepathregex.regex=^/dashboard/(.*)",
"traefik.http.middlewares.traefik-path.replacepathregex.replacement=/dashboard/$${1}",
"traefik.http.routers.traefik-api.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,traefik-path,inflight-std@file,hsts@file,compression@file,traefik-csp",
"traefik.http.routers.traefik-api.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,traefik-path,inflight-std@file,hsts@file,compression@file,csp-traefik-api",
"traefik.http.routers.traefik-ping.rule=(Host(`traefik.example.org`) || HostRegexp(`(.+\\.)?traefik.service.consul`)) && Path(`/ping`) && Method(`GET`)",
"traefik.http.routers.traefik-ping.service=ping@internal",
@ -87,8 +87,8 @@ job "traefik" {
"traefik.enable=true",
"traefik.http.routers.traefik-ping.entrypoints=http,https",
"traefik.http.routers.traefik-ping.priority=2000",
"traefik.http.middlewares.traefik-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
"traefik.http.routers.traefik-ping.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,traefik-csp",
"traefik.http.middlewares.csp-traefik-ping.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
"traefik.http.routers.traefik-ping.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-traefik-ping",
"traefik-${NOMAD_ALLOC_INDEX}"
@ -177,16 +177,16 @@ _EOF
data = <<_EOF
---
{{ if gt (len (secrets "kv/service/traefik/basicauth/")) 0 }}
{{ if gt (len (secrets "/kv/service/traefik/basicauth/")) 0 }}
http:
middlewares:
{{- range secrets "kv/service/traefik/basicauth/" }}
{{- range secrets "/kv/service/traefik/basicauth/" }}
basicauth-{{ . }}:
basicAuth:
realm: {{ . }}
removeheader: true
users:
{{- with secret (printf "kv/data/service/traefik/basicauth/%s" .) }}
{{- with secret (printf "/kv/data/service/traefik/basicauth/%s" .) }}
{{- range $k, $v := .Data.data }}
- {{ $k }}:{{ if $v | regexMatch "^\\$2y\\$" }}{{ $v }}{{ else }}{{ sprig_bcrypt $v }}{{ end }}
{{- end }}
@ -223,12 +223,12 @@ _EOF
data = <<_EOF
---
{{- if ne 0 (len (secrets "kv/service/traefik/certs/")) }}
{{- if ne 0 (len (secrets "/kv/service/traefik/certs/")) }}
tls:
certificates:
{{- range secrets "kv/service/traefik/certs/" }}
{{- range secrets "/kv/service/traefik/certs/" }}
{{- $cn := . }}
{{- with secret (printf "kv/service/traefik/certs/%s" $cn) }}
{{- with secret (printf "/kv/service/traefik/certs/%s" $cn) }}
# {{ $cn }}
- certFile: |-
{{ .Data.data.cert | replaceAll "\n\n" "\n" | indent 8 }}
@ -418,7 +418,7 @@ http:
forward-proto:
headers:
customRequestHeaders:
X-Fowarded-Proto: https
X-Forwarded-Proto: https
_EOF
destination = "secrets/config/proxy.yml"

10
example/vault/policies/traefik.hcl
View File

@ -1,16 +1,16 @@
# Get a consul token
path "consul/creds/traefik" {
path "/consul/creds/traefik" {
capabilities = ["read"]
}
# Read traefik specific settings
path "kv/data/service/traefik" {
path "/kv/data/service/traefik" {
capabilities = ["read", "list"]
}
# LIst and read traefik basic auth &cie
path "kv/metadata/service/traefik/*" {
# List and read traefik basic auth &cie
path "/kv/metadata/service/traefik/*" {
capabilities = ["list","read"]
}
path "kv/data/service/traefik/*" {
path "/kv/data/service/traefik/*" {
capabilities = ["read"]
}

1
prep.d/rename_policies.sh
View File

@ -1 +0,0 @@
[[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "traefik" .instance) ]]

6
templates/config/basicauth.yml.tpl
View File

@ -1,15 +1,15 @@
---
{{ if gt (len (secrets "[[ .vault.prefix ]]kv/service/traefik/basicauth/")) 0 }}
{{ if gt (len (secrets "[[ .vault.root ]]kv/service/[[ .instance ]]/basicauth/")) 0 }}
http:
middlewares:
{{- range secrets "[[ .vault.prefix ]]kv/service/traefik/basicauth/" }}
{{- range secrets "[[ .vault.root ]]kv/service/[[ .instance ]]/basicauth/" }}
basicauth-{{ . }}:
basicAuth:
realm: {{ . }}
removeheader: true
users:
{{- with secret (printf "[[ .vault.prefix ]]kv/data/service/traefik/basicauth/%s" .) }}
{{- with secret (printf "[[ .vault.root ]]kv/data/service/[[ .instance ]]/basicauth/%s" .) }}
{{- range $k, $v := .Data.data }}
- {{ $k }}:{{ if $v | regexMatch "^\\$2y\\$" }}{{ $v }}{{ else }}{{ sprig_bcrypt $v }}{{ end }}
{{- end }}

6
templates/config/certificates.yml.tpl
View File

@ -1,11 +1,11 @@
---
{{- if ne 0 (len (secrets "[[ .vault.prefix ]]kv/service/traefik/certs/")) }}
{{- if ne 0 (len (secrets "[[ .vault.root ]]kv/service/traefik/certs/")) }}
tls:
certificates:
{{- range secrets "[[ .vault.prefix ]]kv/service/traefik/certs/" }}
{{- range secrets "[[ .vault.root ]]kv/service/traefik/certs/" }}
{{- $cn := . }}
{{- with secret (printf "[[ .vault.prefix ]]kv/service/traefik/certs/%s" $cn) }}
{{- with secret (printf "[[ .vault.root ]]kv/service/traefik/certs/%s" $cn) }}
# {{ $cn }}
- certFile: |-
{{ .Data.data.cert | replaceAll "\n\n" "\n" | indent 8 }}

2
templates/config/proxy.yml.tpl
View File

@ -5,4 +5,4 @@ http:
forward-proto:
headers:
customRequestHeaders:
X-Fowarded-Proto: https
X-Forwarded-Proto: https

10
vault/policies/traefik.hcl
View File

@ -1,16 +1,16 @@
# Get a consul token
path "consul/creds/traefik" {
path "[[ .vault.root ]]consul/creds/[[ .instance ]]" {
capabilities = ["read"]
}
# Read traefik specific settings
path "[[ .vault.prefix ]]kv/data/service/traefik" {
path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
capabilities = ["read", "list"]
}
# LIst and read traefik basic auth &cie
path "[[ .vault.prefix ]]kv/metadata/service/traefik/*" {
# List and read traefik basic auth &cie
path "[[ .vault.root ]]kv/metadata/service/[[ .instance ]]/*" {
capabilities = ["list","read"]
}
path "[[ .vault.prefix ]]kv/data/service/traefik/*" {
path "[[ .vault.root ]]kv/data/service/[[ .instance ]]/*" {
capabilities = ["read"]
}