traefik/traefik.nomad.hcl

[[ $c:= merge .traefik . -]]

job [[ .instance | toJSON ]] {

[[- template "common/job_start" $c ]]

  group "traefik" {
    count          = [[ .traefik.count ]]
    shutdown_delay = "6s"

    # Force different instances to run on distinct nodes
    constraint {
      operator = "distinct_hosts"
      value    = "true"
    }

    network {
      mode = "bridge"

[[- range $name, $def := .traefik.entrypoints ]]
  [[- if or (not (has $def "enabled")) ($def.enabled) ]]
      port "[[ $name ]]" {
    [[- if has $def "static" ]]
        static = [[ $def.static ]]
    [[- end ]]
    [[- if has $def "to" ]]
        to     = [[ $def.to ]]
    [[- end ]]
      }
  [[- end ]]
[[- end ]]
      port "metrics" {}
    }

    service {
      name = "traefik-sidecar[[ .consul.suffix ]]"
      port = "https"

[[ template "common/connect" $c ]]
    }

    service {
      name = "[[ .instance ]]"
      port = "https"
      task = "traefik"

[[ template "common/metrics-meta" $c ]]

      # Traefik supports native Consul service mesh
      connect {
        native = true
      }

      tags = [
        "[[ .instance ]].enable=true",

        "[[ .instance ]].http.middlewares.[[ .instance ]]-path.replacepathregex.regex=^[[ (.traefik.public_url | urlParse).Path |regexp.Replace "/$" "" ]]/(.*)",
        "[[ .instance ]].http.middlewares.[[ .instance ]]-path.replacepathregex.replacement=/dashboard/$${1}",

        "[[ .instance ]].http.routers.[[ .instance ]]-api.rule=(Host(`[[ (.traefik.public_url | urlParse).Hostname ]]`) || HostRegexp(`(.+\\.)?[[ .instance ]].service.[[ .consul.domain ]]`)) && (PathPrefix(`/api`) || PathPrefix(`[[ (.traefik.public_url | urlParse).Path ]]`))",
        "[[ .instance ]].http.routers.[[ .instance ]]-api.entrypoints=[[ join (merge .traefik.api.traefik .traefik).entrypoints "," ]]",
        "[[ .instance ]].http.routers.[[ .instance ]]-api.service=api@internal",
        "[[ .instance ]].http.routers.[[ .instance ]]-api.middlewares=[[ template "common/traefik_middlewares" merge .traefik.api.traefik .traefik ]],traefik-path",

        "[[ .instance ]].http.routers.[[ .instance ]]-ping.rule=(Host(`[[ (.traefik.public_url | urlParse).Hostname ]]`) || HostRegexp(`(.+\\.)?[[ .instance ]].service.[[ .consul.domain ]]`)) && Path(`/ping`) && Method(`GET`)",
        "[[ .instance ]].http.routers.[[ .instance ]]-ping.entrypoints=[[ join (merge .traefik.ping.traefik .traefik).entrypoints "," ]]",
        "[[ .instance ]].http.routers.[[ .instance ]]-ping.service=ping@internal",
        "[[ .instance ]].http.routers.[[ .instance ]]-ping.priority=[[ .traefik.ping.traefik.priority ]]",
        "[[ .instance ]].http.routers.[[ .instance ]]-ping.middlewares=[[ template "common/traefik_middlewares" merge .traefik.ping.traefik .traefik ]]",

        "traefik-${NOMAD_ALLOC_INDEX}"
      ]
    }

[[- if.prometheus.enabled ]]
  [[- template "common/task.metrics_proxy" $c ]]
[[- end ]]

    task "traefik" {
      driver = [[ $c.nomad.driver | toJSON ]]
      user   = 5443

      vault {
        policies = ["[[ .instance ]][[ .consul.suffix ]]"]
      }

      config {
        image = [[ .traefik.image | toJSON ]]
        command = "traefik"
        args = [
          "--configfile=/secrets/traefik.yml"
        ]
      }

      # Main traefik configuration
      template {
        data        =<<_EOF
[[ template "traefik/traefik.yml.tpl" . ]]
_EOF
        destination = "secrets/traefik.yml"
        perms       = "0400"
        uid         = 105443
        gid         = 100000
      }

  # Dynamic file configuration
  [[- range $file := coll.Slice "basicauth" "lemonldap" "certificates" "ip" "performance" "security" ]]

      template {
        data        =<<_EOF
[[ tmpl.Exec (printf "traefik/config/%s.yml.tpl" $file) $ ]]
_EOF
        destination = "secrets/config/[[ $file ]].yml"
        change_mode = "noop"
        perms       = "0400"
        uid         = 105443
        gid         = 100000
      }

[[ end -]]

[[ template "common/resources" .traefik.resources ]]
    }

[[- if .lemonldap.enabled ]]

  [[- $c = merge .lemonldap . ]]

    # LL::NG handler for sso
    task "lemonldap-ng-handler" {
      driver = [[ $c.nomad.driver | toJSON ]]

      config {
        image = [[ .lemonldap.image | toJSON ]]
        volumes = [
          "secrets/lemonldap-ng.ini:/etc/lemonldap-ng/lemonldap-ng.ini:ro",
          # Workaround this bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3047
          "local/Traefik.pm:/usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Server/Traefik.pm:ro"
        ]
        # Add a tmpfs to store config and session cache
[[ template "common/tmpfs" dict "size" "10000000" "target" "/tmp" ]]
      }

      lifecycle {
        hook    = "prestart"
        sidecar = true
      }

      env {
        CTD_CONFIG        = "/local/caretakerd.yaml"
        LLNG_SOCKET_PROTO = "http"
        LLNG_LISTEN       = "127.0.0.1:8183"
        SOURCE_SERVER     = "traefik"
      }

      vault {
        policies     = ["[[ .instance ]][[ .consul.suffix ]]"]
        env          = false
        disable_file = true
      }

      template {
        data        =<<_EOT
[[ template "traefik/lemonldap-ng.ini.tpl" . ]]
_EOT
        destination = "secrets/lemonldap-ng.ini"
        perms       = "0400"
        uid         = 100048
        gid         = 100048
      }

      template {
        data = <<_EOT
[[ template "traefik/Traefik.pm" ]]
_EOT
        destination = "local/Traefik.pm"
      }

      template {
        data =<<_EOT
[[ template "traefik/caretakerd.yaml.tpl" . ]]
_EOT
        destination = "local/caretakerd.yaml"
      }

      [[ template "common/resources" .lemonldap.resources ]]
    }
[[- end ]]
  }
}

# vim: syntax=hcl