Cleanups
This commit is contained in:
parent
f65f15390f
commit
a92ecda6ce
|
@ -1,8 +1,8 @@
|
||||||
key_prefix "service/[[ .instance ]]" {
|
key_prefix "[[ .consul.kv.root ]]service/[[ .instance ]]" {
|
||||||
policy = "read"
|
policy = "read"
|
||||||
}
|
}
|
||||||
|
|
||||||
key_prefix "common/ip" {
|
key_prefix "[[ .consul.kv.root ]]common/ip" {
|
||||||
policy = "read"
|
policy = "read"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,19 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
set -eu
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
if [ "traefik" != "traefik" ]; then
|
|
||||||
for DIR in vault consul nomad; do
|
|
||||||
if [ -d output/${DIR} ]; then
|
|
||||||
for FILE in $(find output/${DIR} -name "*traefik*.hcl" -type f); do
|
|
||||||
NEW_FILE=$(echo "${FILE}" | sed -E "s/traefik/traefik/g")
|
|
||||||
mv "${FILE}" "${NEW_FILE}"
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -76,10 +76,10 @@ job "traefik" {
|
||||||
|
|
||||||
"traefik.enable=true",
|
"traefik.enable=true",
|
||||||
"traefik.http.routers.traefik-api.entrypoints=https",
|
"traefik.http.routers.traefik-api.entrypoints=https",
|
||||||
"traefik.http.middlewares.traefik-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
"traefik.http.middlewares.csp-traefik-api.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
||||||
"traefik.http.middlewares.traefik-path.replacepathregex.regex=^/dashboard/(.*)",
|
"traefik.http.middlewares.traefik-path.replacepathregex.regex=^/dashboard/(.*)",
|
||||||
"traefik.http.middlewares.traefik-path.replacepathregex.replacement=/dashboard/$${1}",
|
"traefik.http.middlewares.traefik-path.replacepathregex.replacement=/dashboard/$${1}",
|
||||||
"traefik.http.routers.traefik-api.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,traefik-path,inflight-std@file,hsts@file,compression@file,traefik-csp",
|
"traefik.http.routers.traefik-api.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,traefik-path,inflight-std@file,hsts@file,compression@file,csp-traefik-api",
|
||||||
|
|
||||||
"traefik.http.routers.traefik-ping.rule=(Host(`traefik.example.org`) || HostRegexp(`(.+\\.)?traefik.service.consul`)) && Path(`/ping`) && Method(`GET`)",
|
"traefik.http.routers.traefik-ping.rule=(Host(`traefik.example.org`) || HostRegexp(`(.+\\.)?traefik.service.consul`)) && Path(`/ping`) && Method(`GET`)",
|
||||||
"traefik.http.routers.traefik-ping.service=ping@internal",
|
"traefik.http.routers.traefik-ping.service=ping@internal",
|
||||||
|
@ -87,8 +87,8 @@ job "traefik" {
|
||||||
"traefik.enable=true",
|
"traefik.enable=true",
|
||||||
"traefik.http.routers.traefik-ping.entrypoints=http,https",
|
"traefik.http.routers.traefik-ping.entrypoints=http,https",
|
||||||
"traefik.http.routers.traefik-ping.priority=2000",
|
"traefik.http.routers.traefik-ping.priority=2000",
|
||||||
"traefik.http.middlewares.traefik-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
"traefik.http.middlewares.csp-traefik-ping.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
||||||
"traefik.http.routers.traefik-ping.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,traefik-csp",
|
"traefik.http.routers.traefik-ping.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-traefik-ping",
|
||||||
|
|
||||||
|
|
||||||
"traefik-${NOMAD_ALLOC_INDEX}"
|
"traefik-${NOMAD_ALLOC_INDEX}"
|
||||||
|
@ -177,16 +177,16 @@ _EOF
|
||||||
data = <<_EOF
|
data = <<_EOF
|
||||||
---
|
---
|
||||||
|
|
||||||
{{ if gt (len (secrets "kv/service/traefik/basicauth/")) 0 }}
|
{{ if gt (len (secrets "/kv/service/traefik/basicauth/")) 0 }}
|
||||||
http:
|
http:
|
||||||
middlewares:
|
middlewares:
|
||||||
{{- range secrets "kv/service/traefik/basicauth/" }}
|
{{- range secrets "/kv/service/traefik/basicauth/" }}
|
||||||
basicauth-{{ . }}:
|
basicauth-{{ . }}:
|
||||||
basicAuth:
|
basicAuth:
|
||||||
realm: {{ . }}
|
realm: {{ . }}
|
||||||
removeheader: true
|
removeheader: true
|
||||||
users:
|
users:
|
||||||
{{- with secret (printf "kv/data/service/traefik/basicauth/%s" .) }}
|
{{- with secret (printf "/kv/data/service/traefik/basicauth/%s" .) }}
|
||||||
{{- range $k, $v := .Data.data }}
|
{{- range $k, $v := .Data.data }}
|
||||||
- {{ $k }}:{{ if $v | regexMatch "^\\$2y\\$" }}{{ $v }}{{ else }}{{ sprig_bcrypt $v }}{{ end }}
|
- {{ $k }}:{{ if $v | regexMatch "^\\$2y\\$" }}{{ $v }}{{ else }}{{ sprig_bcrypt $v }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -223,12 +223,12 @@ _EOF
|
||||||
data = <<_EOF
|
data = <<_EOF
|
||||||
---
|
---
|
||||||
|
|
||||||
{{- if ne 0 (len (secrets "kv/service/traefik/certs/")) }}
|
{{- if ne 0 (len (secrets "/kv/service/traefik/certs/")) }}
|
||||||
tls:
|
tls:
|
||||||
certificates:
|
certificates:
|
||||||
{{- range secrets "kv/service/traefik/certs/" }}
|
{{- range secrets "/kv/service/traefik/certs/" }}
|
||||||
{{- $cn := . }}
|
{{- $cn := . }}
|
||||||
{{- with secret (printf "kv/service/traefik/certs/%s" $cn) }}
|
{{- with secret (printf "/kv/service/traefik/certs/%s" $cn) }}
|
||||||
# {{ $cn }}
|
# {{ $cn }}
|
||||||
- certFile: |-
|
- certFile: |-
|
||||||
{{ .Data.data.cert | replaceAll "\n\n" "\n" | indent 8 }}
|
{{ .Data.data.cert | replaceAll "\n\n" "\n" | indent 8 }}
|
||||||
|
@ -418,7 +418,7 @@ http:
|
||||||
forward-proto:
|
forward-proto:
|
||||||
headers:
|
headers:
|
||||||
customRequestHeaders:
|
customRequestHeaders:
|
||||||
X-Fowarded-Proto: https
|
X-Forwarded-Proto: https
|
||||||
|
|
||||||
_EOF
|
_EOF
|
||||||
destination = "secrets/config/proxy.yml"
|
destination = "secrets/config/proxy.yml"
|
||||||
|
|
|
@ -1,16 +1,16 @@
|
||||||
# Get a consul token
|
# Get a consul token
|
||||||
path "consul/creds/traefik" {
|
path "/consul/creds/traefik" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
# Read traefik specific settings
|
# Read traefik specific settings
|
||||||
path "kv/data/service/traefik" {
|
path "/kv/data/service/traefik" {
|
||||||
capabilities = ["read", "list"]
|
capabilities = ["read", "list"]
|
||||||
}
|
}
|
||||||
|
|
||||||
# LIst and read traefik basic auth &cie
|
# List and read traefik basic auth &cie
|
||||||
path "kv/metadata/service/traefik/*" {
|
path "/kv/metadata/service/traefik/*" {
|
||||||
capabilities = ["list","read"]
|
capabilities = ["list","read"]
|
||||||
}
|
}
|
||||||
path "kv/data/service/traefik/*" {
|
path "/kv/data/service/traefik/*" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
[[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "traefik" .instance) ]]
|
|
|
@ -1,15 +1,15 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
{{ if gt (len (secrets "[[ .vault.prefix ]]kv/service/traefik/basicauth/")) 0 }}
|
{{ if gt (len (secrets "[[ .vault.root ]]kv/service/[[ .instance ]]/basicauth/")) 0 }}
|
||||||
http:
|
http:
|
||||||
middlewares:
|
middlewares:
|
||||||
{{- range secrets "[[ .vault.prefix ]]kv/service/traefik/basicauth/" }}
|
{{- range secrets "[[ .vault.root ]]kv/service/[[ .instance ]]/basicauth/" }}
|
||||||
basicauth-{{ . }}:
|
basicauth-{{ . }}:
|
||||||
basicAuth:
|
basicAuth:
|
||||||
realm: {{ . }}
|
realm: {{ . }}
|
||||||
removeheader: true
|
removeheader: true
|
||||||
users:
|
users:
|
||||||
{{- with secret (printf "[[ .vault.prefix ]]kv/data/service/traefik/basicauth/%s" .) }}
|
{{- with secret (printf "[[ .vault.root ]]kv/data/service/[[ .instance ]]/basicauth/%s" .) }}
|
||||||
{{- range $k, $v := .Data.data }}
|
{{- range $k, $v := .Data.data }}
|
||||||
- {{ $k }}:{{ if $v | regexMatch "^\\$2y\\$" }}{{ $v }}{{ else }}{{ sprig_bcrypt $v }}{{ end }}
|
- {{ $k }}:{{ if $v | regexMatch "^\\$2y\\$" }}{{ $v }}{{ else }}{{ sprig_bcrypt $v }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
{{- if ne 0 (len (secrets "[[ .vault.prefix ]]kv/service/traefik/certs/")) }}
|
{{- if ne 0 (len (secrets "[[ .vault.root ]]kv/service/traefik/certs/")) }}
|
||||||
tls:
|
tls:
|
||||||
certificates:
|
certificates:
|
||||||
{{- range secrets "[[ .vault.prefix ]]kv/service/traefik/certs/" }}
|
{{- range secrets "[[ .vault.root ]]kv/service/traefik/certs/" }}
|
||||||
{{- $cn := . }}
|
{{- $cn := . }}
|
||||||
{{- with secret (printf "[[ .vault.prefix ]]kv/service/traefik/certs/%s" $cn) }}
|
{{- with secret (printf "[[ .vault.root ]]kv/service/traefik/certs/%s" $cn) }}
|
||||||
# {{ $cn }}
|
# {{ $cn }}
|
||||||
- certFile: |-
|
- certFile: |-
|
||||||
{{ .Data.data.cert | replaceAll "\n\n" "\n" | indent 8 }}
|
{{ .Data.data.cert | replaceAll "\n\n" "\n" | indent 8 }}
|
||||||
|
|
|
@ -5,4 +5,4 @@ http:
|
||||||
forward-proto:
|
forward-proto:
|
||||||
headers:
|
headers:
|
||||||
customRequestHeaders:
|
customRequestHeaders:
|
||||||
X-Fowarded-Proto: https
|
X-Forwarded-Proto: https
|
||||||
|
|
|
@ -1,16 +1,16 @@
|
||||||
# Get a consul token
|
# Get a consul token
|
||||||
path "consul/creds/traefik" {
|
path "[[ .vault.root ]]consul/creds/[[ .instance ]]" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
# Read traefik specific settings
|
# Read traefik specific settings
|
||||||
path "[[ .vault.prefix ]]kv/data/service/traefik" {
|
path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
|
||||||
capabilities = ["read", "list"]
|
capabilities = ["read", "list"]
|
||||||
}
|
}
|
||||||
|
|
||||||
# LIst and read traefik basic auth &cie
|
# List and read traefik basic auth &cie
|
||||||
path "[[ .vault.prefix ]]kv/metadata/service/traefik/*" {
|
path "[[ .vault.root ]]kv/metadata/service/[[ .instance ]]/*" {
|
||||||
capabilities = ["list","read"]
|
capabilities = ["list","read"]
|
||||||
}
|
}
|
||||||
path "[[ .vault.prefix ]]kv/data/service/traefik/*" {
|
path "[[ .vault.root ]]kv/data/service/[[ .instance ]]/*" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue