Ian Fijolek
fd731971d3
Add all cluster nodes to each nodes resolv.conf and update blocky config template to delay render on update to avoid unnecessary restarts
205 lines
4.1 KiB
HCL
205 lines
4.1 KiB
HCL
variable "config_data" {
|
|
type = string
|
|
description = "Plain text config file for blocky"
|
|
}
|
|
|
|
job "blocky" {
|
|
datacenters = ["dc1"]
|
|
type = "system"
|
|
priority = 100
|
|
|
|
update {
|
|
max_parallel = 1
|
|
# TODO: maybe switch to service job from system so we can use canary and autorollback
|
|
# auto_revert = true
|
|
}
|
|
|
|
group "blocky" {
|
|
|
|
network {
|
|
mode = "bridge"
|
|
|
|
port "dns" {
|
|
static = "53"
|
|
}
|
|
|
|
port "api" {
|
|
# TODO: This may be broken. It seems we're exposing the loopback address which can't be reached
|
|
# host_network = "loopback"
|
|
to = "4000"
|
|
}
|
|
|
|
dns {
|
|
# Set expclicit DNS servers because tasks, by default, use this task
|
|
servers = ["1.1.1.1", "1.0.0.1"]
|
|
}
|
|
}
|
|
|
|
service {
|
|
name = "blocky-dns"
|
|
port = "dns"
|
|
}
|
|
|
|
service {
|
|
name = "blocky-api"
|
|
port = "api"
|
|
|
|
meta {
|
|
metrics_addr = "${NOMAD_ADDR_api}"
|
|
}
|
|
|
|
tags = [
|
|
"traefik.enable=true",
|
|
"traefik.http.routers.blocky-api.entryPoints=websecure",
|
|
]
|
|
|
|
connect {
|
|
sidecar_service {
|
|
proxy {
|
|
local_service_port = 4000
|
|
|
|
expose {
|
|
path {
|
|
path = "/metrics"
|
|
protocol = "http"
|
|
local_path_port = 4000
|
|
listener_port = "api"
|
|
}
|
|
}
|
|
|
|
upstreams {
|
|
destination_name = "redis"
|
|
local_bind_port = 6379
|
|
}
|
|
|
|
upstreams {
|
|
destination_name = "mysql-server"
|
|
local_bind_port = 4040
|
|
}
|
|
}
|
|
}
|
|
|
|
sidecar_task {
|
|
resources {
|
|
cpu = 50
|
|
memory = 20
|
|
memory_max = 50
|
|
}
|
|
}
|
|
}
|
|
|
|
check {
|
|
name = "api-health"
|
|
port = "api"
|
|
type = "http"
|
|
path = "/"
|
|
interval = "10s"
|
|
timeout = "3s"
|
|
}
|
|
}
|
|
|
|
task "blocky" {
|
|
driver = "docker"
|
|
|
|
config {
|
|
image = "ghcr.io/0xerr0r/blocky"
|
|
ports = ["dns", "api"]
|
|
|
|
mount {
|
|
type = "bind"
|
|
target = "/app/config.yml"
|
|
source = "app/config.yml"
|
|
}
|
|
}
|
|
|
|
resources {
|
|
cpu = 50
|
|
memory = 50
|
|
memory_max = 100
|
|
}
|
|
|
|
vault {
|
|
policies = [
|
|
"access-tables",
|
|
"nomad-task",
|
|
]
|
|
}
|
|
|
|
template {
|
|
data = var.config_data
|
|
destination = "app/config.yml"
|
|
splay = "1m"
|
|
|
|
wait {
|
|
min = "10s"
|
|
max = "20s"
|
|
}
|
|
}
|
|
}
|
|
|
|
task "blocky-bootstrap" {
|
|
driver = "docker"
|
|
|
|
lifecycle {
|
|
hook = "prestart"
|
|
sidecar = false
|
|
}
|
|
|
|
config {
|
|
image = "mariadb:10"
|
|
args = [
|
|
"/bin/bash",
|
|
"-c",
|
|
"/usr/bin/mysql --defaults-extra-file=$${NOMAD_SECRETS_DIR}/my.cnf < $${NOMAD_SECRETS_DIR}/bootstrap.sql",
|
|
]
|
|
}
|
|
|
|
vault {
|
|
policies = [
|
|
"access-tables",
|
|
"nomad-task",
|
|
]
|
|
}
|
|
|
|
template {
|
|
data = <<EOF
|
|
[client]
|
|
host={{ env "NOMAD_UPSTREAM_IP_mysql_server" }}
|
|
port={{ env "NOMAD_UPSTREAM_PORT_mysql_server" }}
|
|
user=root
|
|
{{ with secret "kv/data/mysql" }}
|
|
password={{ .Data.data.root_password }}
|
|
{{ end }}
|
|
EOF
|
|
destination = "$${NOMAD_SECRETS_DIR}/my.cnf"
|
|
}
|
|
|
|
template {
|
|
data = <<EOF
|
|
{{ with secret "kv/data/blocky" -}}
|
|
{{ if .Data.data.db_name -}}
|
|
{{ $db_name := .Data.data.db_name }}
|
|
CREATE DATABASE IF NOT EXISTS `{{ $db_name }}`;
|
|
CREATE USER IF NOT EXISTS '{{ .Data.data.db_user }}'@'%' IDENTIFIED BY '{{ .Data.data.db_pass }}';
|
|
GRANT ALL ON `{{ $db_name }}`.* to '{{ .Data.data.db_user }}'@'%';
|
|
{{ with secret "kv/data/grafana" -}}
|
|
-- Add grafana read_only user
|
|
CREATE USER IF NOT EXISTS '{{ .Data.data.db_user_ro }}'@'%' IDENTIFIED BY '{{ .Data.data.db_pass_ro }}';
|
|
GRANT SELECT ON `{{ $db_name }}`.* to '{{ .Data.data.db_user_ro }}'@'%';
|
|
{{ end -}}
|
|
{{ else -}}
|
|
SELECT 'NOOP';
|
|
{{ end -}}
|
|
{{ end -}}
|
|
EOF
|
|
destination = "$${NOMAD_SECRETS_DIR}/bootstrap.sql"
|
|
}
|
|
|
|
resources {
|
|
cpu = 50
|
|
memory = 50
|
|
}
|
|
}
|
|
}
|
|
}
|