Cleanup

templates/traefik.yml.tpl

@@ -5,35 +5,6 @@ accessLog:
   bufferingSize: 100
 
 entryPoints:
-  http:
-    address: ":{{ env "NOMAD_PORT_http" }}"
-[[- if gt (len .traefik.trusted_proxies) 0 ]]
-    proxyProtocol:
-      trustedIPs:[[ range $idx, $ip := .traefik.trusted_proxies ]]
-        - [[ $ip ]][[ end ]]
-[[- end ]]
-    http:
-      redirections:
-        entryPoint:
-          to: ":{{ env "NOMAD_HOST_PORT_https" }}"
-          priority: 1000
-    transport:
-      lifeCycle:
-        requestAcceptGraceTimeout: 4
-
-  https:
-    address: ":{{ env "NOMAD_PORT_https" }}"
-[[- if gt (len .traefik.trusted_proxies) 0 ]]
-    proxyProtocol:
-      trustedIPs:[[ range $idx, $ip := .traefik.trusted_proxies ]]
-        - [[ $ip ]][[ end ]]
-[[- end ]]
-    http:
-      tls: {}
-    transport:
-      lifeCycle:
-        requestAcceptGraceTimeout: 4
-
 [[- if .prometheus.enabled ]]
   metrics:
     address: "127.0.0.1:9500"
@@ -47,6 +18,10 @@ entryPoints:
     proxyProtocol:
       trustedIPs:[[ range $idx, $ip := $.traefik.trusted_proxies ]]
         - [[ $ip ]][[ end ]]
+  [[- if has $def "http" ]]
+    http:
+[[ $def.http | toYAML | indent 6 ]]
+  [[- end ]]
     transport:
       lifeCycle:
         requestAcceptGraceTimeout: 4

traefik.nomad.hcl

@@ -1,6 +1,8 @@
-job "traefik" {
+[[ $c:= merge .traefik . -]]
 
-[[- template "common/job_start.tpl" dict "ctx" . "nomad" .nomad ]]
+job [[ .traefik.instance | toJSON ]] {
+
+[[- template "common/job_start.tpl" $c ]]
 
   group "traefik" {
     count          = [[ .traefik.count ]]
@@ -9,15 +11,8 @@ job "traefik" {
     network {
       mode = "bridge"
 
-      port "http" {
-        static = 80
-        to     = 5080
-      }
-      port "https" {
-        static = 443
-        to     = 5443
-      }
       [[- range $name, $def := .traefik.entrypoints ]]
+        [[- if or (not (has $def "enabled")) ($def.enabled) ]]
       port "[[ $name ]]" {
         [[- if has $def "static" ]]
         static = [[ $def.static ]]
@@ -26,15 +21,16 @@ job "traefik" {
         to     = [[ $def.to ]]
         [[- end ]]
       }
+        [[- end ]]
       [[- end ]]
       port "metrics" {}
     }
 
     service {
-      name = "traefik-sidecar[[ .env.suffix ]]"
+      name = "traefik-sidecar[[ .consul.suffix ]]"
       port = "https"
 
-[[ template "common/connect.tpl" dict "ctx" . "config" .traefik ]]
+[[ template "common/connect.tpl" $c ]]
     }
 
     service {
@@ -42,7 +38,7 @@ job "traefik" {
       port = "https"
       task = "traefik"
 
-[[ template "common/metrics-meta.tpl" . ]]
+[[ template "common/metrics-meta.tpl" $c ]]
 
       check_restart {
         limit = 3
@@ -90,57 +86,16 @@ job "traefik" {
       ]
     }
 
-[[- if .lemonldap.enabled ]]
-
-    # LL::NG handler for sso
-    task "llng-handler" {
-      driver = [[ .lemonldap.driver | toJSON ]]
-
-      config {
-        image = [[ .lemonldap.image | toJSON ]]
-        volumes = [
-          "secrets/lemonldap-ng.ini:/etc/lemonldap-ng/lemonldap-ng.ini:ro",
-        ]
-      }
-
-      lifecycle {
-        hook    = "prestart"
-        sidecar = true
-      }
-
-      vault {
-        policies     = ["[[ .traefik.instance ]][[ .env.suffix ]]"]
-        env          = false
-        disable_file = true
-      }
-
-      template {
-        data        =<<_EOF
-[[ template "traefik/lemonldap-ng.ini.tpl" . ]]
-_EOF
-        destination = "secrets/lemonldap-ng.ini"
-        perms       = "0400"
-        uid         = 100048
-        gid         = 100048
-      }
-
-      [[ template "common/resources.tpl" .lemonldap.resources ]]
-    }
-  [[- end ]]
-
-  [[- if.prometheus.enabled ]]
-    [[- template "common/task.metrics_proxy.tpl"
-         dict "env_suffix"   .env.suffix
-              "vault_prefix" .vault.prefix
-              "metrics_url"  "http://localhost:9500/metrics" ]]
-  [[- end ]]
+[[- if.prometheus.enabled ]]
+  [[- template "common/task.metrics_proxy.tpl" $c ]]
+[[- end ]]
 
     task "traefik" {
-      driver = [[ .traefik.driver | toJSON ]]
+      driver = [[ $c.nomad.driver | toJSON ]]
       user   = 5443
 
       vault {
-        policies = ["[[ .traefik.instance ]][[ .env.suffix ]]"]
+        policies = ["[[ .traefik.instance ]][[ .consul.suffix ]]"]
       }
 
       config {
@@ -180,6 +135,46 @@ _EOF
 
 [[ template "common/resources.tpl" .traefik.resources ]]
     }
+
+[[- if .lemonldap.enabled ]]
+
+  [[- $c = merge .lemonldap . ]]
+
+    # LL::NG handler for sso
+    task "llng-handler" {
+      driver = [[ $c.nomad.driver | toJSON ]]
+
+      config {
+        image = [[ .lemonldap.image | toJSON ]]
+        volumes = [
+          "secrets/lemonldap-ng.ini:/etc/lemonldap-ng/lemonldap-ng.ini:ro",
+        ]
+      }
+
+      lifecycle {
+        hook    = "prestart"
+        sidecar = true
+      }
+
+      vault {
+        policies     = ["[[ .traefik.instance ]][[ .consul.suffix ]]"]
+        env          = false
+        disable_file = true
+      }
+
+      template {
+        data        =<<_EOF
+  [[ template "traefik/lemonldap-ng.ini.tpl" . ]]
+_EOF
+        destination = "secrets/lemonldap-ng.ini"
+        perms       = "0400"
+        uid         = 100048
+        gid         = 100048
+      }
+
+      [[ template "common/resources.tpl" .lemonldap.resources ]]
+    }
+[[- end ]]
   }
 }
 

variables.yml

@@ -1,6 +1,10 @@
 ---
 
 traefik:
+
+  # Instance (if several instances run on the same namespace)
+  instance: traefik
+
   # Docker image to use for Traefik
   image: danielberteaud/traefik:3.0-1
 
@@ -9,9 +13,6 @@ traefik:
     cpu: 200
     memory: 180
 
-  # The driver to use (docker or podman)
-  driver: docker
-
   # Number of traefik instances
   count: 2
 
@@ -37,10 +38,7 @@ traefik:
   # List of trusted proxies from whom to trust proxy protocol v1/v2 source address
   trusted_proxies: []
 
-  # List of additional entrypoints. There's already 3 configured
-  # - https on port 443
-  # - http on port 80
-  # - metrics on port 9500
+  # List entrypoints to configure. Note that if prometheus is enabled, another entrypoint named metrics will bind on 127.0.0.1:9500
   # entrypoints:
   #   postgres:
   #     static: 5432
@@ -52,7 +50,20 @@ traefik:
   #     static: 514
   #     to: 5514
   #     protocol: udp
-  entrypoints: {}
+  entrypoints:
+    http:
+      static: 80
+      to: 5080
+      http:
+        redirections:
+          entryPoint:
+            to: :{{ env "NOMAD_HOST_PORT_https" }}
+            priority: 1000
+    https:
+      static: 443
+      to: 5443
+      http:
+        tls: {}
 
   # The public URL, on which the following endpoints will be exposed
   # - /api : the API
@@ -60,6 +71,12 @@ traefik:
   # Note : this URL should have a path (so https://traefik.example.org/ is invalid but https://traefik/example.org/dashboard is valid)
   public_url: https://traefik.example.org/dashboard
 
+  # Prometheus settings
+  prometheus:
+    # The metrics_url should point on the metrics endpoint from the container's POV
+    # It'll be used to exposed metrics using a nginx proxy (adding mTLS)
+    metrics_url: http://localhost:9500/metrics
+
 lemonldap:
   # If enabled, will run a Lemonldap::NG handler sidecar
   # able to auth using the lemonldap@file middleware
@@ -73,9 +90,6 @@ lemonldap:
     cpu: 100
     memory: 128
 
-  # The driver to use (docker or podman)
-  driver: docker
-
   # DB the handler will use for config and session
   # Only MySQL/MariaDB is supported for now
   db: