nomad
/
traefik
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Cleanups

This commit is contained in:
Daniel Berteaud 2024-01-31 16:20:00 +01:00
parent f65f15390f
commit a92ecda6ce
9 changed files with 30 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
consul/policies/traefik.hcl
View File

@ -1,8 +1,8 @@
key_prefix "service/[[ .instance ]]" { key_prefix "[[ .consul.kv.root ]]service/[[ .instance ]]" {
policy = "read" policy = "read"
} }
key_prefix "common/ip" { key_prefix "[[ .consul.kv.root ]]common/ip" {
policy = "read" policy = "read"
} }

19
example/prep.d/rename_policies.sh
View File

@ -1,19 +0,0 @@
#!/bin/sh
set -eu
if [ "traefik" != "traefik" ]; then
for DIR in vault consul nomad; do
if [ -d output/${DIR} ]; then
for FILE in $(find output/${DIR} -name "*traefik*.hcl" -type f); do
NEW_FILE=$(echo "${FILE}" | sed -E "s/traefik/traefik/g")
mv "${FILE}" "${NEW_FILE}"
done
fi
done
fi

22
example/traefik.nomad.hcl
View File

@ -76,10 +76,10 @@ job "traefik" {
"traefik.enable=true", "traefik.enable=true",
"traefik.http.routers.traefik-api.entrypoints=https", "traefik.http.routers.traefik-api.entrypoints=https",
"traefik.http.middlewares.traefik-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';", "traefik.http.middlewares.csp-traefik-api.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
"traefik.http.middlewares.traefik-path.replacepathregex.regex=^/dashboard/(.*)", "traefik.http.middlewares.traefik-path.replacepathregex.regex=^/dashboard/(.*)",
"traefik.http.middlewares.traefik-path.replacepathregex.replacement=/dashboard/$${1}", "traefik.http.middlewares.traefik-path.replacepathregex.replacement=/dashboard/$${1}",
"traefik.http.routers.traefik-api.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,traefik-path,inflight-std@file,hsts@file,compression@file,traefik-csp", "traefik.http.routers.traefik-api.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,traefik-path,inflight-std@file,hsts@file,compression@file,csp-traefik-api",
"traefik.http.routers.traefik-ping.rule=(Host(`traefik.example.org`) || HostRegexp(`(.+\\.)?traefik.service.consul`)) && Path(`/ping`) && Method(`GET`)", "traefik.http.routers.traefik-ping.rule=(Host(`traefik.example.org`) || HostRegexp(`(.+\\.)?traefik.service.consul`)) && Path(`/ping`) && Method(`GET`)",
"traefik.http.routers.traefik-ping.service=ping@internal", "traefik.http.routers.traefik-ping.service=ping@internal",
@ -87,8 +87,8 @@ job "traefik" {
"traefik.enable=true", "traefik.enable=true",
"traefik.http.routers.traefik-ping.entrypoints=http,https", "traefik.http.routers.traefik-ping.entrypoints=http,https",
"traefik.http.routers.traefik-ping.priority=2000", "traefik.http.routers.traefik-ping.priority=2000",
"traefik.http.middlewares.traefik-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';", "traefik.http.middlewares.csp-traefik-ping.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
"traefik.http.routers.traefik-ping.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,traefik-csp", "traefik.http.routers.traefik-ping.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-traefik-ping",
"traefik-${NOMAD_ALLOC_INDEX}" "traefik-${NOMAD_ALLOC_INDEX}"
@ -177,16 +177,16 @@ _EOF
data = <<_EOF data = <<_EOF
--- ---
{{ if gt (len (secrets "kv/service/traefik/basicauth/")) 0 }} {{ if gt (len (secrets "/kv/service/traefik/basicauth/")) 0 }}
http: http:
middlewares: middlewares:
{{- range secrets "kv/service/traefik/basicauth/" }} {{- range secrets "/kv/service/traefik/basicauth/" }}
basicauth-{{ . }}: basicauth-{{ . }}:
basicAuth: basicAuth:
realm: {{ . }} realm: {{ . }}
removeheader: true removeheader: true
users: users:
{{- with secret (printf "kv/data/service/traefik/basicauth/%s" .) }} {{- with secret (printf "/kv/data/service/traefik/basicauth/%s" .) }}
{{- range $k, $v := .Data.data }} {{- range $k, $v := .Data.data }}
- {{ $k }}:{{ if $v | regexMatch "^\\$2y\\$" }}{{ $v }}{{ else }}{{ sprig_bcrypt $v }}{{ end }} - {{ $k }}:{{ if $v | regexMatch "^\\$2y\\$" }}{{ $v }}{{ else }}{{ sprig_bcrypt $v }}{{ end }}
{{- end }} {{- end }}
@ -223,12 +223,12 @@ _EOF
data = <<_EOF data = <<_EOF
--- ---
{{- if ne 0 (len (secrets "kv/service/traefik/certs/")) }} {{- if ne 0 (len (secrets "/kv/service/traefik/certs/")) }}
tls: tls:
certificates: certificates:
{{- range secrets "kv/service/traefik/certs/" }} {{- range secrets "/kv/service/traefik/certs/" }}
{{- $cn := . }} {{- $cn := . }}
{{- with secret (printf "kv/service/traefik/certs/%s" $cn) }} {{- with secret (printf "/kv/service/traefik/certs/%s" $cn) }}
# {{ $cn }} # {{ $cn }}
- certFile: |- - certFile: |-
{{ .Data.data.cert | replaceAll "\n\n" "\n" | indent 8 }} {{ .Data.data.cert | replaceAll "\n\n" "\n" | indent 8 }}
@ -418,7 +418,7 @@ http:
forward-proto: forward-proto:
headers: headers:
customRequestHeaders: customRequestHeaders:
X-Fowarded-Proto: https X-Forwarded-Proto: https
_EOF _EOF
destination = "secrets/config/proxy.yml" destination = "secrets/config/proxy.yml"

10
example/vault/policies/traefik.hcl
View File

@ -1,16 +1,16 @@
# Get a consul token # Get a consul token
path "consul/creds/traefik" { path "/consul/creds/traefik" {
capabilities = ["read"] capabilities = ["read"]
} }
# Read traefik specific settings # Read traefik specific settings
path "kv/data/service/traefik" { path "/kv/data/service/traefik" {
capabilities = ["read", "list"] capabilities = ["read", "list"]
} }
# LIst and read traefik basic auth &cie # List and read traefik basic auth &cie
path "kv/metadata/service/traefik/*" { path "/kv/metadata/service/traefik/*" {
capabilities = ["list","read"] capabilities = ["list","read"]
} }
path "kv/data/service/traefik/*" { path "/kv/data/service/traefik/*" {
capabilities = ["read"] capabilities = ["read"]
} }

1
prep.d/rename_policies.sh
View File

@ -1 +0,0 @@
[[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "traefik" .instance) ]]

6
templates/config/basicauth.yml.tpl
View File

@ -1,15 +1,15 @@
--- ---
{{ if gt (len (secrets "[[ .vault.prefix ]]kv/service/traefik/basicauth/")) 0 }} {{ if gt (len (secrets "[[ .vault.root ]]kv/service/[[ .instance ]]/basicauth/")) 0 }}
http: http:
middlewares: middlewares:
{{- range secrets "[[ .vault.prefix ]]kv/service/traefik/basicauth/" }} {{- range secrets "[[ .vault.root ]]kv/service/[[ .instance ]]/basicauth/" }}
basicauth-{{ . }}: basicauth-{{ . }}:
basicAuth: basicAuth:
realm: {{ . }} realm: {{ . }}
removeheader: true removeheader: true
users: users:
{{- with secret (printf "[[ .vault.prefix ]]kv/data/service/traefik/basicauth/%s" .) }} {{- with secret (printf "[[ .vault.root ]]kv/data/service/[[ .instance ]]/basicauth/%s" .) }}
{{- range $k, $v := .Data.data }} {{- range $k, $v := .Data.data }}
- {{ $k }}:{{ if $v | regexMatch "^\\$2y\\$" }}{{ $v }}{{ else }}{{ sprig_bcrypt $v }}{{ end }} - {{ $k }}:{{ if $v | regexMatch "^\\$2y\\$" }}{{ $v }}{{ else }}{{ sprig_bcrypt $v }}{{ end }}
{{- end }} {{- end }}

6
templates/config/certificates.yml.tpl
View File

@ -1,11 +1,11 @@
--- ---
{{- if ne 0 (len (secrets "[[ .vault.prefix ]]kv/service/traefik/certs/")) }} {{- if ne 0 (len (secrets "[[ .vault.root ]]kv/service/traefik/certs/")) }}
tls: tls:
certificates: certificates:
{{- range secrets "[[ .vault.prefix ]]kv/service/traefik/certs/" }} {{- range secrets "[[ .vault.root ]]kv/service/traefik/certs/" }}
{{- $cn := . }} {{- $cn := . }}
{{- with secret (printf "[[ .vault.prefix ]]kv/service/traefik/certs/%s" $cn) }} {{- with secret (printf "[[ .vault.root ]]kv/service/traefik/certs/%s" $cn) }}
# {{ $cn }} # {{ $cn }}
- certFile: |- - certFile: |-
{{ .Data.data.cert | replaceAll "\n\n" "\n" | indent 8 }} {{ .Data.data.cert | replaceAll "\n\n" "\n" | indent 8 }}

2
templates/config/proxy.yml.tpl
View File

@ -5,4 +5,4 @@ http:
forward-proto: forward-proto:
headers: headers:
customRequestHeaders: customRequestHeaders:
X-Fowarded-Proto: https X-Forwarded-Proto: https

10
vault/policies/traefik.hcl
View File

@ -1,16 +1,16 @@
# Get a consul token # Get a consul token
path "consul/creds/traefik" { path "[[ .vault.root ]]consul/creds/[[ .instance ]]" {
capabilities = ["read"] capabilities = ["read"]
} }
# Read traefik specific settings # Read traefik specific settings
path "[[ .vault.prefix ]]kv/data/service/traefik" { path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
capabilities = ["read", "list"] capabilities = ["read", "list"]
} }
# LIst and read traefik basic auth &cie # List and read traefik basic auth &cie
path "[[ .vault.prefix ]]kv/metadata/service/traefik/*" { path "[[ .vault.root ]]kv/metadata/service/[[ .instance ]]/*" {
capabilities = ["list","read"] capabilities = ["list","read"]
} }
path "[[ .vault.prefix ]]kv/data/service/traefik/*" { path "[[ .vault.root ]]kv/data/service/[[ .instance ]]/*" {
capabilities = ["read"] capabilities = ["read"]
} }