Add read-only implementation of fixers as scheduled batches

2023-10-23 12:59:41 -07:00 · 2023-10-23 12:59:41 -07:00 · 1b48892172
commit 1b48892172
parent 48a48bb080
2 changed files with 68 additions and 0 deletions
--- a/services/nomad-fixers.nomad
+++ b/services/nomad-fixers.nomad
@ -0,0 +1,46 @@
+job "fixers" {
+
+  type = "batch"
+
+  periodic {
+    cron = "*/15 * * * * *"
+    prohibit_overlap = true
+  }
+
+  group "main" {
+
+    task "orphaned_services" {
+      driver = "docker"
+
+      config {
+        image = "iamthefij/nomad-service-fixers:0.1.0"
+        command = "/scripts/nomad_orphan_services.py"
+      }
+
+      env = {
+        NOMAD_ADDR = "http+unix://%2Fsecrets%2Fapi.sock"
+      }
+
+      identity {
+        env = true
+      }
+    }
+
+    task "missing_services" {
+      driver = "docker"
+
+      config {
+        image = "iamthefij/nomad-service-fixers:0.1.0"
+        command = "/scripts/nomad_missing_services.py"
+      }
+
+      env = {
+        NOMAD_ADDR = "http+unix://%2Fsecrets%2Fapi.sock"
+      }
+
+      identity {
+        env = true
+      }
+    }
+  }
+}
--- a/services/nomad-fixers.tf
+++ b/services/nomad-fixers.tf
@ -0,0 +1,22 @@
+resource "nomad_job" "nomad-fixers" {
+  jobspec = file("${path.module}/nomad-fixers.nomad")
+}
+
+resource "nomad_acl_policy" "nomad_fixers_workload" {
+  name        = "nomad-fixers-workload"
+  description = "Give nomad fixers access to the Nomad api for fixing things"
+  rules_hcl   = <<EOH
+namespace "default" {
+  capabilities = [
+    "list-jobs",
+    "read-job",
+    "submit-job",  # This allows deleting a service registeration
+    "alloc-lifecycle",
+  ]
+}
+  EOH
+
+  job_acl {
+    job_id = "fixers/*"
+  }
+}