Update security todos and reference node IP for consul queries
This commit is contained in:
parent
ab1c9b41cd
commit
478f9c4c8f
@ -10,7 +10,7 @@ resource "nomad_acl_policy" "admin" {
|
|||||||
rules_hcl = file("${path.module}/nomad-admin-policy.hcl")
|
rules_hcl = file("${path.module}/nomad-admin-policy.hcl")
|
||||||
}
|
}
|
||||||
|
|
||||||
# TODO: Limit this scope
|
# TODO: (security) Limit this scope
|
||||||
resource "nomad_acl_policy" "deploy" {
|
resource "nomad_acl_policy" "deploy" {
|
||||||
name = "deploy"
|
name = "deploy"
|
||||||
description = "Write for job deployments"
|
description = "Write for job deployments"
|
||||||
|
2
core.tf
2
core.tf
@ -17,8 +17,6 @@ module "traefik" {
|
|||||||
|
|
||||||
module "metrics" {
|
module "metrics" {
|
||||||
source = "./metrics"
|
source = "./metrics"
|
||||||
|
|
||||||
consul_address = var.consul_address
|
|
||||||
}
|
}
|
||||||
|
|
||||||
module "loki" {
|
module "loki" {
|
||||||
|
@ -25,7 +25,6 @@ job "adminer" {
|
|||||||
|
|
||||||
upstreams {
|
upstreams {
|
||||||
destination_name = "mysql-server"
|
destination_name = "mysql-server"
|
||||||
# TODO: how do I get these to not bind to the host eth0 address
|
|
||||||
local_bind_port = 4040
|
local_bind_port = 4040
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1,8 +1,3 @@
|
|||||||
variable "consul_address" {
|
|
||||||
type = string
|
|
||||||
description = "address of consul server for dynamic scraping"
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "nomad_job" "exporters" {
|
resource "nomad_job" "exporters" {
|
||||||
hcl2 {
|
hcl2 {
|
||||||
enabled = true
|
enabled = true
|
||||||
@ -20,12 +15,6 @@ data "consul_nodes" "all-nodes" {
|
|||||||
resource "nomad_job" "prometheus" {
|
resource "nomad_job" "prometheus" {
|
||||||
hcl2 {
|
hcl2 {
|
||||||
enabled = true
|
enabled = true
|
||||||
vars = {
|
|
||||||
# TODO: May not need this because we have an env variable for that
|
|
||||||
# "consul_address" = "${var.consul_address}",
|
|
||||||
# TODO: Should this be a list?
|
|
||||||
"consul_address" = "http://${data.consul_nodes.all-nodes.nodes[0].address}:8500",
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
jobspec = file("${path.module}/prometheus.nomad")
|
jobspec = file("${path.module}/prometheus.nomad")
|
||||||
|
@ -1,9 +1,3 @@
|
|||||||
variable "consul_address" {
|
|
||||||
type = string
|
|
||||||
description = "Full address of Consul instance to get catalog from"
|
|
||||||
default = "http://127.0.0.1:5400"
|
|
||||||
}
|
|
||||||
|
|
||||||
job "prometheus" {
|
job "prometheus" {
|
||||||
datacenters = ["dc1"]
|
datacenters = ["dc1"]
|
||||||
|
|
||||||
@ -97,8 +91,7 @@ scrape_configs:
|
|||||||
format:
|
format:
|
||||||
- "prometheus"
|
- "prometheus"
|
||||||
consul_sd_configs:
|
consul_sd_configs:
|
||||||
- server: "${var.consul_address}"
|
- server: "http://{{env "attr.unique.network.ip-address"}}:8500"
|
||||||
# - server: "{{ env "CONSUL_HTTP_ADDR" }}"
|
|
||||||
services:
|
services:
|
||||||
- "nomad-client"
|
- "nomad-client"
|
||||||
|
|
||||||
@ -108,8 +101,7 @@ scrape_configs:
|
|||||||
format:
|
format:
|
||||||
- "prometheus"
|
- "prometheus"
|
||||||
consul_sd_configs:
|
consul_sd_configs:
|
||||||
- server: "${var.consul_address}"
|
- server: "http://{{env "attr.unique.network.ip-address"}}:8500"
|
||||||
# - server: "{{ env "CONSUL_HTTP_ADDR" }}"
|
|
||||||
services:
|
services:
|
||||||
- "consul"
|
- "consul"
|
||||||
relabel_configs:
|
relabel_configs:
|
||||||
@ -120,8 +112,7 @@ scrape_configs:
|
|||||||
- job_name: "exporters"
|
- job_name: "exporters"
|
||||||
metrics_path: "/metrics"
|
metrics_path: "/metrics"
|
||||||
consul_sd_configs:
|
consul_sd_configs:
|
||||||
- server: "${var.consul_address}"
|
- server: "http://{{env "attr.unique.network.ip-address"}}:8500"
|
||||||
# - server: "{{ env "CONSUL_HTTP_ADDR" }}"
|
|
||||||
relabel_configs:
|
relabel_configs:
|
||||||
- source_labels: [__meta_consul_service]
|
- source_labels: [__meta_consul_service]
|
||||||
action: drop
|
action: drop
|
||||||
@ -143,8 +134,7 @@ scrape_configs:
|
|||||||
- job_name: "envoy"
|
- job_name: "envoy"
|
||||||
metrics_path: "/metrics"
|
metrics_path: "/metrics"
|
||||||
consul_sd_configs:
|
consul_sd_configs:
|
||||||
- server: "${var.consul_address}"
|
- server: "http://{{env "attr.unique.network.ip-address"}}:8500"
|
||||||
# - server: "{{ env "CONSUL_HTTP_ADDR" }}"
|
|
||||||
relabel_configs:
|
relabel_configs:
|
||||||
- source_labels: [__meta_consul_service]
|
- source_labels: [__meta_consul_service]
|
||||||
action: keep
|
action: keep
|
||||||
|
@ -372,7 +372,7 @@
|
|||||||
# Only talk to local Vault for now because it doesn't have HTTPS
|
# Only talk to local Vault for now because it doesn't have HTTPS
|
||||||
nomad_vault_address: "http://127.0.0.1:8200"
|
nomad_vault_address: "http://127.0.0.1:8200"
|
||||||
nomad_vault_create_from_role: "nomad-cluster"
|
nomad_vault_create_from_role: "nomad-cluster"
|
||||||
# TODO: Probably want to restict this to a narrower scoped token
|
# TODO: (security) Probably want to restict this to a narrower scoped token
|
||||||
nomad_vault_enabled: "{{ root_token is defined }}"
|
nomad_vault_enabled: "{{ root_token is defined }}"
|
||||||
nomad_vault_token: "{{ root_token | default('') }}"
|
nomad_vault_token: "{{ root_token | default('') }}"
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user