Add postgres stunnel and service bootstrap

This commit is contained in:
IamTheFij 2023-07-25 10:59:33 -07:00
parent f8478ae6c9
commit ac29343d96
4 changed files with 165 additions and 8 deletions

View File

@ -17,9 +17,10 @@ job "postgres-server" {
mode = "bridge" mode = "bridge"
port "db" { port "db" {
to = 5432 static = 5432
host_network = "wesher"
} }
port "tls" {}
} }
volume "postgres-data" { volume "postgres-data" {
@ -34,6 +35,12 @@ job "postgres-server" {
port = "db" port = "db"
} }
service {
name = "postgres-tls"
provider = "nomad"
port = "tls"
}
task "postgres-server" { task "postgres-server" {
driver = "docker" driver = "docker"
@ -69,5 +76,53 @@ POSTGRES_PASSWORD={{ .superuser_pass }}
memory = 256 memory = 256
} }
} }
task "stunnel" {
driver = "docker"
config {
image = "alpine:3.17"
ports = ["tls"]
args = ["/bin/sh", "${NOMAD_TASK_DIR}/start.sh"]
}
resources {
cpu = 100
memory = 100
}
template {
data = <<EOF
set -e
apk add stunnel
exec stunnel ${NOMAD_TASK_DIR}/stunnel.conf
EOF
destination = "${NOMAD_TASK_DIR}/start.sh"
}
template {
data = <<EOF
syslog = no
foreground = yes
delay = yes
[postgres_server]
accept = {{ env "NOMAD_PORT_tls" }}
connect = 127.0.0.1:5432
ciphers = PSK
PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/stunnel_psk.txt
EOF
destination = "${NOMAD_TASK_DIR}/stunnel.conf"
}
template {
data = <<EOF
{{ with nomadVar "nomad/jobs/postgres-server/postgres-server/stunnel" -}}
{{ .allowed_psks }}
{{- end }}
EOF
destination = "${NOMAD_SECRETS_DIR}/stunnel_psk.txt"
}
}
} }
} }

View File

@ -31,7 +31,9 @@ resource "nomad_job" "service" {
use_mysql = var.use_mysql || var.mysql_bootstrap != null use_mysql = var.use_mysql || var.mysql_bootstrap != null
use_redis = var.use_redis use_redis = var.use_redis
use_ldap = var.use_ldap use_ldap = var.use_ldap
use_postgres = var.use_postgres || var.postgres_bootstrap != null
mysql_bootstrap = var.mysql_bootstrap mysql_bootstrap = var.mysql_bootstrap
postgres_bootstrap = var.postgres_bootstrap
}) })
} }

View File

@ -179,7 +179,7 @@ EOF
} }
%{ if mysql_bootstrap != null ~} %{ if mysql_bootstrap != null ~}
task "${name}-bootstrap" { task "mysql-bootstrap" {
driver = "docker" driver = "docker"
lifecycle { lifecycle {
@ -243,7 +243,73 @@ SELECT 'NOOP';
} }
%{ endif } %{ endif }
%{ if use_mysql || use_redis || use_ldap ~} %{ if postgres_bootstrap != null ~}
task "postgres-bootstrap" {
driver = "docker"
lifecycle {
hook = "prestart"
sidecar = false
}
config {
image = "postgres:14"
args = [
"/usr/bin/timeout",
"2m",
"/bin/bash",
"-c",
"until /bin/bash $${NOMAD_TASK_DIR}/bootstrap.sh; do sleep 10; done",
]
}
template {
data = <<EOF
{{ with nomadVar "nomad/jobs/${name}" -}}
/usr/bin/createdb {{ .${postgres_bootstrap.db_name_key} }}
{{ end }}
/usr/bin/psql -X -f $${NOMAD_SECRETS_DIR/bootstrap.sql
EOF
destination = "$${NOMAD_TASK_DIR}/boostrap.sh"
}
template {
data = <<EOF
PGHOSTADDR=127.0.0.1
PGPORT=5432
{{ with nomadVar "nomad/jobs/${name}/${name}/bootstrap" }}
PGUSER={{ .superuser }}
# TODO: Passfile?
PGPASSWORD={{ .superuser_pass }}
{{ end }}
EOF
destination = "$${NOMAD_SECRETS_DIR}/db.env"
env = true
}
template {
data = <<EOF
{{ with nomadVar "nomad/jobs/${name}" -}}
DO $$
BEGIN
CREATE ROLE {{ .${postgres_bootstrap.db_user_key} }} LOGIN PASSWORD '{{ .${postgres_bootstrap.db_pass_key} }}';
GRANT ALL ON DATABASE "{{ .${postgres_bootstrap.db_name_key} }}" TO {{ .${postgres_bootstrap.db_user_key} }};
EXCEPTION WHEN duplicate_object THEN RAISE NOTICE '%, skipping', SQLERRM USING ERRCODE = SQLSTATE;
END
$$;
{{ end }}
EOF
destination = "$${NOMAD_SECRETS_DIR}/bootstrap.sql"
}
resources {
cpu = 50
memory = 50
}
}
%{ endif }
%{ if use_mysql || use_redis || use_ldap || use_postgres ~}
task "stunnel" { task "stunnel" {
driver = "docker" driver = "docker"
@ -305,6 +371,16 @@ accept = 127.0.0.1:389
connect = {{ .Address }}:{{ .Port }} connect = {{ .Address }}:{{ .Port }}
{{- end }} {{- end }}
PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/ldap_stunnel_psk.txt PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/ldap_stunnel_psk.txt
%{~ endif }
%{~ if use_postgres }
[postgres_client]
client = yes
accept = 127.0.0.1:5432
{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "postgres-tls" -}}
connect = {{ .Address }}:{{ .Port }}
{{- end }}
PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/postgres_stunnel_psk.txt
%{~ endif } %{~ endif }
EOF EOF
destination = "$${NOMAD_TASK_DIR}/stunnel.conf" destination = "$${NOMAD_TASK_DIR}/stunnel.conf"
@ -334,6 +410,14 @@ EOF
destination = "$${NOMAD_SECRETS_DIR}/ldap_stunnel_psk.txt" destination = "$${NOMAD_SECRETS_DIR}/ldap_stunnel_psk.txt"
} }
%{~ endif } %{~ endif }
%{~ if use_postgres }
template {
data = <<EOF
{{- with nomadVar "nomad/jobs/${name}/${name}/stunnel" }}{{ .postgres_stunnel_psk }}{{ end -}}
EOF
destination = "$${NOMAD_SECRETS_DIR}/postgres_stunnel_psk.txt"
}
%{~ endif }
} }
%{~ endif } %{~ endif }
} }

View File

@ -165,6 +165,11 @@ variable "use_ldap" {
default = false default = false
} }
variable "use_postgres" {
type = bool
default = false
}
variable "mysql_bootstrap" { variable "mysql_bootstrap" {
type = object({ type = object({
enabled = optional(bool, true) enabled = optional(bool, true)
@ -177,6 +182,17 @@ variable "mysql_bootstrap" {
default = null default = null
} }
variable "postgres_bootstrap" {
type = object({
enabled = optional(bool, true)
db_name_key = optional(string, "db_name")
db_user_key = optional(string, "db_user")
db_pass_key = optional(string, "db_pass")
})
default = null
}
variable "constraints" { variable "constraints" {
type = list(object({ type = list(object({
attribute = optional(string, "") attribute = optional(string, "")