~damien/infrastructure

031d9b9a7649814606785c1b0984e34edc3a525b — Damien Radtke 10 months ago 29857ed
Trying to get fabio back up and running
M config/consul/base.hcl => config/consul/base.hcl +2 -2
@@ 9,8 9,8 @@ cert_file = "/etc/ssl/consul/consul.pem"
key_file = "/etc/ssl/consul/consul-key.pem"

addresses {
	# Bind HTTPS to both a local Unix socket and the advertise address.
	https = "unix:///var/run/consul/consul_https.sock {{ GetPublicInterfaces | include `type` `IPv6` | offset -1 | attr `address` }}"
	# Bind HTTPS to IPv6 loopback, a local Unix socket, and the advertise address.
	https = "::1 unix:///var/run/consul/consul_https.sock {{ GetPublicInterfaces | include `type` `IPv6` | offset -1 | attr `address` }}"
}

unix_sockets {

M jobs/acme-renewer.nomad.erb => jobs/acme-renewer.nomad.erb +4 -4
@@ 1,3 1,7 @@
<%
  @acme_sh_version = "2.8.5"
%>

job "acme-renewer" {
	region = "global"
	datacenters = ["ca-central"]


@@ 14,10 18,6 @@ job "acme-renewer" {
		unlimited = false
	}

	<%
	  @acme_sh_version = "2.8.5"
	%>

	# TODO: add www.damienradtke.com, radtke.family
	# also add something like this somewhere: 
	# "--reloadcmd", "vault kv put secret/fabio/certs/<domain> cert=@'${NOMAD_SECRETS_DIR}/fullchain.pem' key=@'${NOMAD_SECRETS_DIR}/key.pem'",

R jobs/fabio.nomad => jobs/fabio.nomad.erb +31 -12
@@ 1,24 1,40 @@
job "fabio" {
	region = "us"
<%
  @fabio_version  = "1.5.13"
  @golang_version = "1.13.4"
  @fabio_checksum = "sha256:716aaa264e2ffb7a98a574220e0e20d7d40e2f1b2717584d6f260e01f89220fc"
%>

	datacenters = ["us-central"]
job "fabio" {
	region = "global"
	datacenters = ["ca-central"]
	type = "service"

	group "fabio" {
		constraint {
			attribute = "${meta.role}"
			value     = "load-balancer"
		}

		task "fabio" {
			driver = "exec"
			config {
				command = "fabio-1.5.13-go1.13.4-linux_amd64",
				command = "fabio-<%= @fabio_version %>-go<%= @golang_version %>-linux_amd64",
				// TODO: this currently fails because consul-key.pem is not readable
				// Need to figure out a way to get fabio a client cert
				args = [
					"-registry.consul.addr", "https://localhost:8501",
					"-registry.consul.tls.cafile", "/etc/ssl/consul/ca.pem",
					"-registry.consul.tls.certfile", "/etc/ssl/nomad/consul.pem",
					"-registry.consul.tls.keyfile", "/etc/ssl/nomad/consul-key.pem",
					"-proxy.cs", "cs=mycerts;type=vault;cert=secret/fabio/certs",
					"-proxy.addr", "0.0.0.0:9999;cs=mycerts",
					"-proxy.addr", ":${NOMAD_PORT_balancer};cs=mycerts",
				]
			}

			artifact {
				source = "https://github.com/fabiolb/fabio/releases/download/v1.5.13/fabio-1.5.13-go1.13.4-linux_amd64"
				source = "https://github.com/fabiolb/fabio/releases/download/v<%= @fabio_version %>/fabio-<%= @fabio_version %>-go<%= @golang_version %>-linux_amd64"
				options {
					checksum = "sha256:716aaa264e2ffb7a98a574220e0e20d7d40e2f1b2717584d6f260e01f89220fc"
					checksum = "<%= @fabio_checksum %>"
				}
			}



@@ 27,8 43,10 @@ job "fabio" {
			}

			env {
				VAULT_CAPATH = "/etc/ssl/vault/ca.pem"
				VAULT_ADDR = "https://vault.service.consul:8200"
				VAULT_CAPATH = "/etc/ssl/vault/ca.pem"
				VAULT_CLIENT_CERT = "/etc/ssl/nomad/vault.pem"
				VAULT_CLIENT_KEY = "/etc/ssl/nomad/vault-key.pem"
			}

			resources {


@@ 38,6 56,7 @@ job "fabio" {
						static = 9998
					}
					port "balancer" {
						// TODO: if the below interpolation works, this doesn't need to be static
						static = 9999
					}
				}


@@ 48,14 67,14 @@ job "fabio" {
			driver = "raw_exec"
			config {
				command = "porter",
				args = ["-to", "localhost:9999"]
				args = ["-to", "localhost:${NOMAD_PORT_fabio_balancer}"]
			}

			artifact {
				source = "s3::http://${MINIO_HOST}:9000/artifacts/porter/porter"
				source = "s3::http://45.33.126.243:9000/artifacts/porter/porter"
				options {
					aws_access_key_id = "${MINIO_ACCESS_KEY}"
					aws_access_key_secret = "${MINIO_SECRET_KEY}"
					aws_access_key_id = "<%= secret('minio', 'access_key') %>"
					aws_access_key_secret = "<%= secret('minio', 'secret_key') %>"
				}
			}


M services/consul.service => services/consul.service +1 -1
@@ 10,7 10,7 @@ Group=consul
ExecStartPre=+/usr/bin/mkdir -p /var/run/consul
ExecStartPre=+/usr/bin/chown -R consul:consul /var/run/consul
ExecStart=/usr/local/bin/consul agent -config-dir=/etc/consul.d/
ExecReload=/usr/local/bin/consul reload
ExecReload=/usr/local/bin/consul reload -ca-file=/etc/ssl/consul/ca.pem -http-addr=unix:///var/run/consul/consul_https.sock
KillMode=process
Restart=on-failure
LimitNOFILE=65536

M stackscripts/cluster-member.sh => stackscripts/cluster-member.sh +1 -0
@@ 171,6 171,7 @@ EOF
# }}}

set_hostname
update-ca-certificates --verbose  # sometimes the CA certs folder is empty, this seems to fix it
install_base_packages
create_user
systemctl enable firewalld; service firewalld start

M terraform/main.tf => terraform/main.tf +18 -0
@@ 70,6 70,24 @@ module "nomad-client" {
  ca_key           = var.ca_key
}

module "nomad-client-load-balancer" {
  source = "./nomad-client"

  clients           = 1
  consul_version    = "1.7.2"
  nomad_version     = "0.9.7"
	meta              = map("role", "load-balancer")
  consul_server_ips = module.consul-server.ips

  datacenter       = local.region
  image            = local.image
  instance_type    = local.instance_type
  stackscript_id   = local.stackscript_id
  authorized_users = local.authorized_users
  ca_host          = var.ca_host
  ca_key           = var.ca_key
}

module "vault-server" {
  source = "./vault-server"


M terraform/nomad-client/main.tf => terraform/nomad-client/main.tf +6 -0
@@ 85,6 85,12 @@ resource "linode_instance" "clients" {
					# This is where SSL certs actually live on openSUSE. /etc/ssl/certs is symlinked to here
					"/var/lib/ca-certificates/pem" = "/var/lib/ca-certificates/pem"
				}

				meta {
					%{for key, value in var.meta~}
					"${key}" = "${value}"
					%{endfor~}
				}
			}

			plugin "raw_exec" {

M terraform/nomad-client/variables.tf => terraform/nomad-client/variables.tf +5 -0
@@ 12,3 12,8 @@ variable ca_key { type = string }
variable consul_version { type = string }
variable nomad_version { type = string }
variable consul_server_ips { type = list(string) }

variable meta {
	type = map(string)
	default = {}
}