193 lines
5.6 KiB
HCL
193 lines
5.6 KiB
HCL
[[ $c:= merge .traefik . -]]
|
|
|
|
job [[ .instance | toJSON ]] {
|
|
|
|
[[- template "common/job_start" $c ]]
|
|
|
|
group "traefik" {
|
|
count = [[ .traefik.count ]]
|
|
shutdown_delay = "6s"
|
|
|
|
# Force different instances to run on distinct nodes
|
|
constraint {
|
|
operator = "distinct_hosts"
|
|
value = "true"
|
|
}
|
|
|
|
network {
|
|
mode = "bridge"
|
|
|
|
[[- range $name, $def := .traefik.entrypoints ]]
|
|
[[- if or (not (has $def "enabled")) ($def.enabled) ]]
|
|
port "[[ $name ]]" {
|
|
[[- if has $def "static" ]]
|
|
static = [[ $def.static ]]
|
|
[[- end ]]
|
|
[[- if has $def "to" ]]
|
|
to = [[ $def.to ]]
|
|
[[- end ]]
|
|
}
|
|
[[- end ]]
|
|
[[- end ]]
|
|
port "metrics" {}
|
|
}
|
|
|
|
service {
|
|
name = "traefik-sidecar[[ .consul.suffix ]]"
|
|
port = "https"
|
|
|
|
[[ template "common/connect" $c ]]
|
|
}
|
|
|
|
service {
|
|
name = "[[ .instance ]]"
|
|
port = "https"
|
|
task = "traefik"
|
|
|
|
[[ template "common/metrics-meta" $c ]]
|
|
|
|
# Traefik supports native Consul service mesh
|
|
connect {
|
|
native = true
|
|
}
|
|
|
|
tags = [
|
|
"[[ .instance ]].enable=true",
|
|
|
|
"[[ .instance ]].http.middlewares.[[ .instance ]]-path.replacepathregex.regex=^[[ (.traefik.public_url | urlParse).Path |regexp.Replace "/$" "" ]]/(.*)",
|
|
"[[ .instance ]].http.middlewares.[[ .instance ]]-path.replacepathregex.replacement=/dashboard/$${1}",
|
|
|
|
"[[ .instance ]].http.routers.[[ .instance ]]-api.rule=(Host(`[[ (.traefik.public_url | urlParse).Hostname ]]`) || HostRegexp(`(.+\\.)?[[ .instance ]].service.[[ .consul.domain ]]`)) && (PathPrefix(`/api`) || PathPrefix(`[[ (.traefik.public_url | urlParse).Path ]]`))",
|
|
"[[ .instance ]].http.routers.[[ .instance ]]-api.entrypoints=[[ join (merge .traefik.api.traefik .traefik).entrypoints "," ]]",
|
|
"[[ .instance ]].http.routers.[[ .instance ]]-api.service=api@internal",
|
|
"[[ .instance ]].http.routers.[[ .instance ]]-api.middlewares=[[ template "common/traefik_middlewares" merge .traefik.api.traefik .traefik ]],traefik-path",
|
|
|
|
"[[ .instance ]].http.routers.[[ .instance ]]-ping.rule=(Host(`[[ (.traefik.public_url | urlParse).Hostname ]]`) || HostRegexp(`(.+\\.)?[[ .instance ]].service.[[ .consul.domain ]]`)) && Path(`/ping`) && Method(`GET`)",
|
|
"[[ .instance ]].http.routers.[[ .instance ]]-ping.entrypoints=[[ join (merge .traefik.ping.traefik .traefik).entrypoints "," ]]",
|
|
"[[ .instance ]].http.routers.[[ .instance ]]-ping.service=ping@internal",
|
|
"[[ .instance ]].http.routers.[[ .instance ]]-ping.priority=[[ .traefik.ping.traefik.priority ]]",
|
|
"[[ .instance ]].http.routers.[[ .instance ]]-ping.middlewares=[[ template "common/traefik_middlewares" merge .traefik.ping.traefik .traefik ]]",
|
|
|
|
"traefik-${NOMAD_ALLOC_INDEX}"
|
|
]
|
|
}
|
|
|
|
[[- if.prometheus.enabled ]]
|
|
[[- template "common/task.metrics_proxy" $c ]]
|
|
[[- end ]]
|
|
|
|
task "traefik" {
|
|
driver = [[ $c.nomad.driver | toJSON ]]
|
|
user = 5443
|
|
|
|
vault {
|
|
policies = ["[[ .instance ]][[ .consul.suffix ]]"]
|
|
}
|
|
|
|
config {
|
|
image = [[ .traefik.image | toJSON ]]
|
|
command = "traefik"
|
|
args = [
|
|
"--configfile=/secrets/traefik.yml"
|
|
]
|
|
}
|
|
|
|
# Main traefik configuration
|
|
template {
|
|
data =<<_EOF
|
|
[[ template "traefik/traefik.yml.tpl" . ]]
|
|
_EOF
|
|
destination = "secrets/traefik.yml"
|
|
perms = "0400"
|
|
uid = 105443
|
|
gid = 100000
|
|
}
|
|
|
|
# Dynamic file configuration
|
|
[[- range $file := coll.Slice "basicauth" "lemonldap" "certificates" "ip" "performance" "security" ]]
|
|
|
|
template {
|
|
data =<<_EOF
|
|
[[ tmpl.Exec (printf "traefik/config/%s.yml.tpl" $file) $ ]]
|
|
_EOF
|
|
destination = "secrets/config/[[ $file ]].yml"
|
|
change_mode = "noop"
|
|
perms = "0400"
|
|
uid = 105443
|
|
gid = 100000
|
|
}
|
|
|
|
[[ end -]]
|
|
|
|
[[ template "common/resources" .traefik.resources ]]
|
|
}
|
|
|
|
[[- if .lemonldap.enabled ]]
|
|
|
|
[[- $c = merge .lemonldap . ]]
|
|
|
|
# LL::NG handler for sso
|
|
task "lemonldap-ng-handler" {
|
|
driver = [[ $c.nomad.driver | toJSON ]]
|
|
|
|
config {
|
|
image = [[ .lemonldap.image | toJSON ]]
|
|
volumes = [
|
|
"secrets/lemonldap-ng.ini:/etc/lemonldap-ng/lemonldap-ng.ini:ro",
|
|
# Workaround this bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3047
|
|
"local/Traefik.pm:/usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Server/Traefik.pm:ro"
|
|
]
|
|
# Add a tmpfs to store config and session cache
|
|
[[ template "common/tmpfs" dict "size" "10000000" "target" "/tmp" ]]
|
|
}
|
|
|
|
lifecycle {
|
|
hook = "prestart"
|
|
sidecar = true
|
|
}
|
|
|
|
env {
|
|
CTD_CONFIG = "/local/caretakerd.yaml"
|
|
LLNG_SOCKET_PROTO = "http"
|
|
LLNG_LISTEN = "127.0.0.1:8183"
|
|
SOURCE_SERVER = "traefik"
|
|
}
|
|
|
|
vault {
|
|
policies = ["[[ .instance ]][[ .consul.suffix ]]"]
|
|
env = false
|
|
disable_file = true
|
|
}
|
|
|
|
template {
|
|
data =<<_EOT
|
|
[[ template "traefik/lemonldap-ng.ini.tpl" . ]]
|
|
_EOT
|
|
destination = "secrets/lemonldap-ng.ini"
|
|
perms = "0400"
|
|
uid = 100048
|
|
gid = 100048
|
|
}
|
|
|
|
template {
|
|
data = <<_EOT
|
|
[[ template "traefik/Traefik.pm" ]]
|
|
_EOT
|
|
destination = "local/Traefik.pm"
|
|
}
|
|
|
|
template {
|
|
data =<<_EOT
|
|
[[ template "traefik/caretakerd.yaml.tpl" . ]]
|
|
_EOT
|
|
destination = "local/caretakerd.yaml"
|
|
}
|
|
|
|
[[ template "common/resources" .lemonldap.resources ]]
|
|
}
|
|
[[- end ]]
|
|
}
|
|
}
|
|
|
|
# vim: syntax=hcl
|