orchestration-tests/nomad/core/traefik/traefik.nomad

variable "base_hostname" {
  type = string
  description = "Base hostname to serve content from"
  default = "dev.homelab"
}

job "traefik" {
  datacenters = ["dc1"]
  type = "service"
  priority = 100

  constraint {
    attribute = "${node.class}"
    value = "ingress"
  }

  constraint {
    distinct_hosts = true
  }

  update {
    max_parallel = 1
    # canary = 1
    # auto_promote = true
    auto_revert = true
  }

  group "traefik" {
    count = 1

    network  {
      port "web" {
        static = 80
      }

      port "websecure" {
        static = 443
      }

      port "syslog" {
        static = 514
      }

      port "git-ssh" {
        static = 2222
      }
    }

    ephemeral_disk {
      migrate = true
      sticky = true
    }

    service {
      name = "traefik"
      port = "web"

      check {
        type = "http"
        path = "/ping"
        port = "web"
        interval = "10s"
        timeout = "2s"
      }

      connect {
        native = true
      }

      tags = [
        "traefik.enable=true",
        "traefik.http.routers.traefik.entryPoints=websecure",
        "traefik.http.routers.traefik.service=api@internal",
      ]
    }

    task "traefik" {
      driver = "docker"

      config {
        image = "traefik:2.6"

        ports = ["web", "websecure"]
        network_mode = "host"

        mount {
          type = "bind"
          target = "/etc/traefik"
          source = "local/config"
        }

        mount {
          type = "bind"
          target = "/etc/traefik/usersfile"
          source = "secrets/usersfile"
        }
      }

      vault {
        policies = ["access-tables", "nomad-task"]
      }

      template {
        # Avoid conflict with TOML lists [[ ]] and Go templates {{ }}
        left_delimiter = "<<"
        right_delimiter = ">>"
        data = <<EOH
[log]
  level = "DEBUG"

[entryPoints]
  [entryPoints.web]
    address = ":80"
    [entryPoints.web.http]
      [entryPoints.web.http.redirections]
        [entryPoints.web.http.redirections.entrypoint]
          to = "websecure"
          scheme = "https"

  [entryPoints.websecure]
    address = ":443"
    [entryPoints.websecure.http.tls]
    << if keyExists "traefik/acme/email" ->>
      certResolver = "letsEncrypt"
      [[entryPoints.websecure.http.tls.domains]]
        main = "*.<< keyOrDefault "global/base_hostname" "${var.base_hostname}" >>"
    << end ->>

  [entryPoints.metrics]
    address = ":8989"

  [entryPoints.syslogtcp]
    address = ":514"

  [entryPoints.syslogudp]
    address = ":514/udp"

  [entryPoints.gitssh]
    address = ":2222"

[api]
  dashboard = true

[ping]
  entrypoint = "web"

[metrics]
  [metrics.prometheus]
    entrypoint = "metrics"
    # manualRouting = true

[providers.file]
  directory = "/etc/traefik/conf"
  watch = true

[providers.consulCatalog]
  connectAware = true
  connectByDefault = true
  exposedByDefault = false
  defaultRule = "Host(`{{normalize .Name}}.<< keyOrDefault "global/base_hostname" "${var.base_hostname}" >>`)"
  [providers.consulCatalog.endpoint]
    address = "http://<< env "CONSUL_HTTP_ADDR" >>"

<< if keyExists "traefik/acme/email" ->>
[certificatesResolvers.letsEncrypt.acme]
  email = "<< key "traefik/acme/email" >>"
  # Store in /local because /secrets doesn't persist with ephemeral disk
  storage = "/local/acme.json"
  [certificatesResolvers.letsEncrypt.acme.dnsChallenge]
    provider = "cloudflare"
    resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
    delayBeforeCheck = 0
<< end ->>
        EOH
        destination = "local/config/traefik.toml"
      }

      template {
        data = <<EOH
{{ with secret "kv/data/cloudflare" }}
CF_DNS_API_TOKEN={{ .Data.data.api_token_dns_edit }}
CF_ZONE_API_TOKEN={{ .Data.data.api_token_zone_read }}
{{ end }}
        EOH
        destination = "secrets/cloudflare.env"
        env = true
      }

      template {
        data = <<EOH
[http]
  [http.routers]
    [http.routers.nomad]
      entryPoints = ["websecure"]
      # middlewares = []
      service = "nomad"
      rule = "Host(`nomad.{{ keyOrDefault "global/base_hostname" "${var.base_hostname}" }}`)"
    [http.routers.consul]
      entryPoints = ["websecure"]
      # middlewares = []
      service = "consul"
      rule = "Host(`consul.{{ keyOrDefault "global/base_hostname" "${var.base_hostname}" }}`)"
    [http.routers.vault]
      entryPoints = ["websecure"]
      # middlewares = []
      service = "vault"
      rule = "Host(`vault.{{ keyOrDefault "global/base_hostname" "${var.base_hostname}" }}`)"

  [http.services]
    {{ with service "nomad-client" -}}
    [http.services.nomad]
      [http.services.nomad.loadBalancer]
        {{ range . -}}
        [[http.services.nomad.loadBalancer.servers]]
          url = "http://{{ .Address }}:{{ .Port }}"
        {{ end }}
    {{- end }}
    {{ with service "consul" -}}
    [http.services.consul]
      [http.services.consul.loadBalancer]
        {{ range . -}}
        [[http.services.consul.loadBalancer.servers]]
          # Not using .Port because that's an RPC port
          url = "http://{{ .Address }}:8500"
        {{ end }}
    {{- end }}
    {{ with service "vault" -}}
    [http.services.vault]
      [http.services.vault.loadBalancer]
        [http.services.vault.loadBalancer.sticky.cookie]
        {{ range . -}}
        [[http.services.vault.loadBalancer.servers]]
          url = "http://{{ .Address }}:{{ .Port }}"
        {{ end }}
    {{- end }}
        EOH
        destination = "local/config/conf/route-hashi.toml"
        change_mode = "noop"
      }

      template {
        data = <<EOH
{{ with service "syslogng" -}}
[tcp.routers]
  [tcp.routers.syslogtcp]
    entryPoints = ["syslogtcp"]
    service = "syslogngtcp"
    rule = "HostSNI(`*`)"

[tcp.services]
  [tcp.services.syslogngtcp]
    [tcp.services.syslogngtcp.loadBalancer]
      {{ range . -}}
      [[tcp.services.syslogngtcp.loadBalancer.servers]]
        address = "{{ .Address }}:{{ .Port }}"
      {{ end -}}
{{ end }}

{{ with service "syslogng" -}}
[udp.routers]
  [udp.routers.syslogudp]
    entryPoints = ["syslogudp"]
    service = "syslogngudp"

[udp.services]
  [udp.services.syslogngudp]
    [udp.services.syslogngudp.loadBalancer]
      {{ range . -}}
      [[udp.services.syslogngudp.loadBalancer.servers]]
        address = "{{ .Address }}:{{ .Port }}"
      {{ end -}}
{{ end }}
        EOH
        destination = "local/config/conf/route-syslog-ng.toml"
        change_mode = "noop"
      }

      template {
        data = <<EOH
[http.middlewares]
{{ with secret "kv/data/traefik" }}
{{ if .Data.data.usersfile }}
  [http.middlewares.basic-auth.basicAuth]
    usersFile = "/etc/traefik/usersfile"
{{ end }}
{{ end }}
        EOH
        destination = "local/config/conf/middlewares.toml"
        change_mode = "noop"
      }

      template {
        data = <<EOH
{{ with secret "kv/data/traefik" }}
{{ .Data.data.usersfile }}
{{ end }}
        EOH
        destination = "secrets/usersfile"
        change_mode = "noop"
      }

      resources {
        cpu = 100
        memory = 100
        memory_max = 500
      }
    }
  }
}
Add some basic Nomad and k8s tests 2022-02-16 17:56:18 +00:00			`variable "base_hostname" {`
			`type = string`
			`description = "Base hostname to serve content from"`
			`default = "dev.homelab"`
			`}`

			`job "traefik" {`
			`datacenters = ["dc1"]`
Make traefik a service rather than a system job Sets it up to support auto_revert and auto_promote 2022-07-28 22:11:59 +00:00			`type = "service"`
Increase priority of Traefik 2022-06-23 16:51:42 +00:00			`priority = 100`
Add some basic Nomad and k8s tests 2022-02-16 17:56:18 +00:00
Update ansible to deploy nomad and consul to Pi host This is broken because the Pi doesn't have the right version of ip-tables 2022-02-27 22:49:00 +00:00			`constraint {`
			`attribute = "${node.class}"`
			`value = "ingress"`
			`}`

Make traefik a service rather than a system job Sets it up to support auto_revert and auto_promote 2022-07-28 22:11:59 +00:00			`constraint {`
			`distinct_hosts = true`
			`}`

Deploy traefik one at a time with autorevert 2022-06-24 03:12:30 +00:00			`update {`
			`max_parallel = 1`
Make traefik a service rather than a system job Sets it up to support auto_revert and auto_promote 2022-07-28 22:11:59 +00:00			`# canary = 1`
			`# auto_promote = true`
Deploy traefik one at a time with autorevert 2022-06-24 03:12:30 +00:00			`auto_revert = true`
			`}`

Add some basic Nomad and k8s tests 2022-02-16 17:56:18 +00:00			`group "traefik" {`
Make traefik a service rather than a system job Sets it up to support auto_revert and auto_promote 2022-07-28 22:11:59 +00:00			`count = 1`
Add some basic Nomad and k8s tests 2022-02-16 17:56:18 +00:00
			`network {`
			`port "web" {`
			`static = 80`
			`}`
Fix syslog proxy Apparently traefik only supports http proxy over connect. https://github.com/traefik/traefik/issues/7803 2022-09-05 03:21:02 +00:00
Add some basic Nomad and k8s tests 2022-02-16 17:56:18 +00:00			`port "websecure" {`
			`static = 443`
			`}`
Fix syslog proxy Apparently traefik only supports http proxy over connect. https://github.com/traefik/traefik/issues/7803 2022-09-05 03:21:02 +00:00
			`port "syslog" {`
			`static = 514`
			`}`
Add gitea 2022-10-31 22:23:04 +00:00
			`port "git-ssh" {`
			`static = 2222`
			`}`
Add some basic Nomad and k8s tests 2022-02-16 17:56:18 +00:00			`}`

Make traefik disk ephemeral and sticky 2022-07-28 00:30:35 +00:00			`ephemeral_disk {`
			`migrate = true`
			`sticky = true`
			`}`

Add some basic Nomad and k8s tests 2022-02-16 17:56:18 +00:00			`service {`
			`name = "traefik"`
			`port = "web"`

			`check {`
			`type = "http"`
			`path = "/ping"`
			`port = "web"`
			`interval = "10s"`
			`timeout = "2s"`
			`}`

			`connect {`
			`native = true`
			`}`

			`tags = [`
			`"traefik.enable=true",`
Get letsencrypt certs working with Traefik 2022-07-27 18:12:08 +00:00			`"traefik.http.routers.traefik.entryPoints=websecure",`
			`"traefik.http.routers.traefik.service=api@internal",`
Add some basic Nomad and k8s tests 2022-02-16 17:56:18 +00:00			`]`
			`}`

			`task "traefik" {`
			`driver = "docker"`

			`config {`
			`image = "traefik:2.6"`

			`ports = ["web", "websecure"]`
			`network_mode = "host"`

Simplify proxy routing 2022-03-14 22:58:03 +00:00			`mount {`
			`type = "bind"`
			`target = "/etc/traefik"`
Add basic auth to traefik 2022-07-27 04:45:06 +00:00			`source = "local/config"`
Simplify proxy routing 2022-03-14 22:58:03 +00:00			`}`
Add basic auth to traefik 2022-07-27 04:45:06 +00:00
			`mount {`
			`type = "bind"`
			`target = "/etc/traefik/usersfile"`
			`source = "secrets/usersfile"`
			`}`
			`}`

			`vault {`
			`policies = ["access-tables", "nomad-task"]`
Simplify proxy routing 2022-03-14 22:58:03 +00:00			`}`

			`template {`
			`# Avoid conflict with TOML lists [[ ]] and Go templates {{ }}`
			`left_delimiter = "<<"`
			`right_delimiter = ">>"`
			`data = <<EOH`
			`[log]`
			`level = "DEBUG"`

			`[entryPoints]`
			`[entryPoints.web]`
			`address = ":80"`
			`[entryPoints.web.http]`
			`[entryPoints.web.http.redirections]`
			`[entryPoints.web.http.redirections.entrypoint]`
			`to = "websecure"`
			`scheme = "https"`

			`[entryPoints.websecure]`
			`address = ":443"`
			`[entryPoints.websecure.http.tls]`
Get letsencrypt certs working with Traefik 2022-07-27 18:12:08 +00:00			`<< if keyExists "traefik/acme/email" ->>`
			`certResolver = "letsEncrypt"`
Traefik wildcard certs 2022-07-28 22:11:24 +00:00			`[[entryPoints.websecure.http.tls.domains]]`
			`main = "*.<< keyOrDefault "global/base_hostname" "${var.base_hostname}" >>"`
Get letsencrypt certs working with Traefik 2022-07-27 18:12:08 +00:00			`<< end ->>`
Simplify proxy routing 2022-03-14 22:58:03 +00:00
			`[entryPoints.metrics]`
			`address = ":8989"`

Add Traefik proxy for Syslogng 2022-09-04 19:36:26 +00:00			`[entryPoints.syslogtcp]`
			`address = ":514"`

			`[entryPoints.syslogudp]`
			`address = ":514/udp"`

Add gitea 2022-10-31 22:23:04 +00:00			`[entryPoints.gitssh]`
			`address = ":2222"`

Simplify proxy routing 2022-03-14 22:58:03 +00:00			`[api]`
			`dashboard = true`

			`[ping]`
			`entrypoint = "web"`

			`[metrics]`
			`[metrics.prometheus]`
			`entrypoint = "metrics"`
			`# manualRouting = true`

			`[providers.file]`
			`directory = "/etc/traefik/conf"`
			`watch = true`

			`[providers.consulCatalog]`
			`connectAware = true`
			`connectByDefault = true`
			`exposedByDefault = false`
Get letsencrypt certs working with Traefik 2022-07-27 18:12:08 +00:00			defaultRule = "Host(`{{normalize .Name}}.<< keyOrDefault "global/base_hostname" "${var.base_hostname}" >>`)"
Simplify proxy routing 2022-03-14 22:58:03 +00:00			`[providers.consulCatalog.endpoint]`
			`address = "http://<< env "CONSUL_HTTP_ADDR" >>"`
Get letsencrypt certs working with Traefik 2022-07-27 18:12:08 +00:00
			`<< if keyExists "traefik/acme/email" ->>`
			`[certificatesResolvers.letsEncrypt.acme]`
			`email = "<< key "traefik/acme/email" >>"`
Move acme certs to /local so they will persit between allocs 2022-09-06 16:45:04 +00:00			`# Store in /local because /secrets doesn't persist with ephemeral disk`
			`storage = "/local/acme.json"`
Get letsencrypt certs working with Traefik 2022-07-27 18:12:08 +00:00			`[certificatesResolvers.letsEncrypt.acme.dnsChallenge]`
			`provider = "cloudflare"`
			`resolvers = ["1.1.1.1:53", "8.8.8.8:53"]`
			`delayBeforeCheck = 0`
			`<< end ->>`
Simplify proxy routing 2022-03-14 22:58:03 +00:00			`EOH`
Add basic auth to traefik 2022-07-27 04:45:06 +00:00			`destination = "local/config/traefik.toml"`
Simplify proxy routing 2022-03-14 22:58:03 +00:00			`}`

Get letsencrypt certs working with Traefik 2022-07-27 18:12:08 +00:00			`template {`
			`data = <<EOH`
			`{{ with secret "kv/data/cloudflare" }}`
			`CF_DNS_API_TOKEN={{ .Data.data.api_token_dns_edit }}`
			`CF_ZONE_API_TOKEN={{ .Data.data.api_token_zone_read }}`
			`{{ end }}`
			`EOH`
			`destination = "secrets/cloudflare.env"`
			`env = true`
			`}`

Simplify proxy routing 2022-03-14 22:58:03 +00:00			`template {`
			`data = <<EOH`
			`[http]`
			`[http.routers]`
			`[http.routers.nomad]`
Add vault setup: Not secured 2022-03-15 18:57:00 +00:00			`entryPoints = ["websecure"]`
Simplify proxy routing 2022-03-14 22:58:03 +00:00			`# middlewares = []`
			`service = "nomad"`
Add basic auth to traefik 2022-07-27 04:45:06 +00:00			rule = "Host(`nomad.{{ keyOrDefault "global/base_hostname" "${var.base_hostname}" }}`)"
Simplify proxy routing 2022-03-14 22:58:03 +00:00			`[http.routers.consul]`
Add vault setup: Not secured 2022-03-15 18:57:00 +00:00			`entryPoints = ["websecure"]`
Simplify proxy routing 2022-03-14 22:58:03 +00:00			`# middlewares = []`
			`service = "consul"`
Add basic auth to traefik 2022-07-27 04:45:06 +00:00			rule = "Host(`consul.{{ keyOrDefault "global/base_hostname" "${var.base_hostname}" }}`)"
Add vault setup: Not secured 2022-03-15 18:57:00 +00:00			`[http.routers.vault]`
			`entryPoints = ["websecure"]`
			`# middlewares = []`
			`service = "vault"`
Add basic auth to traefik 2022-07-27 04:45:06 +00:00			rule = "Host(`vault.{{ keyOrDefault "global/base_hostname" "${var.base_hostname}" }}`)"
Simplify proxy routing 2022-03-14 22:58:03 +00:00
			`[http.services]`
Add basic auth to traefik 2022-07-27 04:45:06 +00:00			`{{ with service "nomad-client" -}}`
Simplify proxy routing 2022-03-14 22:58:03 +00:00			`[http.services.nomad]`
			`[http.services.nomad.loadBalancer]`
Add basic auth to traefik 2022-07-27 04:45:06 +00:00			`{{ range . -}}`
Simplify proxy routing 2022-03-14 22:58:03 +00:00			`[[http.services.nomad.loadBalancer.servers]]`
Add basic auth to traefik 2022-07-27 04:45:06 +00:00			`url = "http://{{ .Address }}:{{ .Port }}"`
			`{{ end }}`
			`{{- end }}`
			`{{ with service "consul" -}}`
Simplify proxy routing 2022-03-14 22:58:03 +00:00			`[http.services.consul]`
			`[http.services.consul.loadBalancer]`
Add basic auth to traefik 2022-07-27 04:45:06 +00:00			`{{ range . -}}`
Simplify proxy routing 2022-03-14 22:58:03 +00:00			`[[http.services.consul.loadBalancer.servers]]`
Use consul http port in traefik 2022-04-15 19:25:15 +00:00			`# Not using .Port because that's an RPC port`
Add basic auth to traefik 2022-07-27 04:45:06 +00:00			`url = "http://{{ .Address }}:8500"`
			`{{ end }}`
			`{{- end }}`
			`{{ with service "vault" -}}`
Add vault setup: Not secured 2022-03-15 18:57:00 +00:00			`[http.services.vault]`
			`[http.services.vault.loadBalancer]`
Make vault load balancer sticky Assets like css and js were not proxying correctly. I think it may be because they were proxying to a different instance and that the paths are dynamic. This should route subsequent requests for the session to a single backend. 2022-09-07 00:17:14 +00:00			`[http.services.vault.loadBalancer.sticky.cookie]`
Add basic auth to traefik 2022-07-27 04:45:06 +00:00			`{{ range . -}}`
Add vault setup: Not secured 2022-03-15 18:57:00 +00:00			`[[http.services.vault.loadBalancer.servers]]`
Add basic auth to traefik 2022-07-27 04:45:06 +00:00			`url = "http://{{ .Address }}:{{ .Port }}"`
			`{{ end }}`
			`{{- end }}`
			`EOH`
			`destination = "local/config/conf/route-hashi.toml"`
			`change_mode = "noop"`
			`}`

Fix syslog proxy Apparently traefik only supports http proxy over connect. https://github.com/traefik/traefik/issues/7803 2022-09-05 03:21:02 +00:00			`template {`
			`data = <<EOH`
			`{{ with service "syslogng" -}}`
			`[tcp.routers]`
			`[tcp.routers.syslogtcp]`
			`entryPoints = ["syslogtcp"]`
			`service = "syslogngtcp"`
			rule = "HostSNI(`*`)"

			`[tcp.services]`
			`[tcp.services.syslogngtcp]`
			`[tcp.services.syslogngtcp.loadBalancer]`
			`{{ range . -}}`
			`[[tcp.services.syslogngtcp.loadBalancer.servers]]`
			`address = "{{ .Address }}:{{ .Port }}"`
			`{{ end -}}`
			`{{ end }}`

			`{{ with service "syslogng" -}}`
			`[udp.routers]`
			`[udp.routers.syslogudp]`
			`entryPoints = ["syslogudp"]`
			`service = "syslogngudp"`

			`[udp.services]`
			`[udp.services.syslogngudp]`
			`[udp.services.syslogngudp.loadBalancer]`
			`{{ range . -}}`
			`[[udp.services.syslogngudp.loadBalancer.servers]]`
			`address = "{{ .Address }}:{{ .Port }}"`
			`{{ end -}}`
			`{{ end }}`
			`EOH`
			`destination = "local/config/conf/route-syslog-ng.toml"`
			`change_mode = "noop"`
			`}`

Add basic auth to traefik 2022-07-27 04:45:06 +00:00			`template {`
			`data = <<EOH`
			`[http.middlewares]`
			`{{ with secret "kv/data/traefik" }}`
			`{{ if .Data.data.usersfile }}`
			`[http.middlewares.basic-auth.basicAuth]`
			`usersFile = "/etc/traefik/usersfile"`
			`{{ end }}`
			`{{ end }}`
			`EOH`
			`destination = "local/config/conf/middlewares.toml"`
			`change_mode = "noop"`
			`}`

			`template {`
			`data = <<EOH`
			`{{ with secret "kv/data/traefik" }}`
			`{{ .Data.data.usersfile }}`
			`{{ end }}`
Simplify proxy routing 2022-03-14 22:58:03 +00:00			`EOH`
Add basic auth to traefik 2022-07-27 04:45:06 +00:00			`destination = "secrets/usersfile"`
Simplify proxy routing 2022-03-14 22:58:03 +00:00			`change_mode = "noop"`
Add some basic Nomad and k8s tests 2022-02-16 17:56:18 +00:00			`}`

			`resources {`
Tweak memory requirements for tasks 2022-07-25 22:51:16 +00:00			`cpu = 100`
			`memory = 100`
Bump Traefik mem limit We don't like this crashing 2022-07-28 00:26:13 +00:00			`memory_max = 500`
Add some basic Nomad and k8s tests 2022-02-16 17:56:18 +00:00			`}`
			`}`
			`}`
			`}`