M config/consul/base.hcl => config/consul/base.hcl +2 -2
@@ 9,8 9,8 @@ cert_file = "/etc/ssl/consul/consul.pem"
key_file = "/etc/ssl/consul/consul-key.pem"
addresses {
- # Bind HTTPS to both a local Unix socket and the advertise address.
- https = "unix:///var/run/consul/consul_https.sock {{ GetPublicInterfaces | include `type` `IPv6` | offset -1 | attr `address` }}"
+ # Bind HTTPS to IPv6 loopback, a local Unix socket, and the advertise address.
+ https = "::1 unix:///var/run/consul/consul_https.sock {{ GetPublicInterfaces | include `type` `IPv6` | offset -1 | attr `address` }}"
}
unix_sockets {
M jobs/acme-renewer.nomad.erb => jobs/acme-renewer.nomad.erb +4 -4
@@ 1,3 1,7 @@
+<%
+ @acme_sh_version = "2.8.5"
+%>
+
job "acme-renewer" {
region = "global"
datacenters = ["ca-central"]
@@ 14,10 18,6 @@ job "acme-renewer" {
unlimited = false
}
- <%
- @acme_sh_version = "2.8.5"
- %>
-
# TODO: add www.damienradtke.com, radtke.family
# also add something like this somewhere:
# "--reloadcmd", "vault kv put secret/fabio/certs/<domain> cert=@'${NOMAD_SECRETS_DIR}/fullchain.pem' key=@'${NOMAD_SECRETS_DIR}/key.pem'",
R jobs/fabio.nomad => jobs/fabio.nomad.erb +31 -12
@@ 1,24 1,40 @@
-job "fabio" {
- region = "us"
+<%
+ @fabio_version = "1.5.13"
+ @golang_version = "1.13.4"
+ @fabio_checksum = "sha256:716aaa264e2ffb7a98a574220e0e20d7d40e2f1b2717584d6f260e01f89220fc"
+%>
- datacenters = ["us-central"]
+job "fabio" {
+ region = "global"
+ datacenters = ["ca-central"]
type = "service"
group "fabio" {
+ constraint {
+ attribute = "${meta.role}"
+ value = "load-balancer"
+ }
+
task "fabio" {
driver = "exec"
config {
- command = "fabio-1.5.13-go1.13.4-linux_amd64",
+ command = "fabio-<%= @fabio_version %>-go<%= @golang_version %>-linux_amd64",
+ // TODO: this currently fails because consul-key.pem is not readable
+ // Need to figure out a way to get fabio a client cert
args = [
+ "-registry.consul.addr", "https://localhost:8501",
+ "-registry.consul.tls.cafile", "/etc/ssl/consul/ca.pem",
+ "-registry.consul.tls.certfile", "/etc/ssl/nomad/consul.pem",
+ "-registry.consul.tls.keyfile", "/etc/ssl/nomad/consul-key.pem",
"-proxy.cs", "cs=mycerts;type=vault;cert=secret/fabio/certs",
- "-proxy.addr", "0.0.0.0:9999;cs=mycerts",
+ "-proxy.addr", ":${NOMAD_PORT_balancer};cs=mycerts",
]
}
artifact {
- source = "https://github.com/fabiolb/fabio/releases/download/v1.5.13/fabio-1.5.13-go1.13.4-linux_amd64"
+ source = "https://github.com/fabiolb/fabio/releases/download/v<%= @fabio_version %>/fabio-<%= @fabio_version %>-go<%= @golang_version %>-linux_amd64"
options {
- checksum = "sha256:716aaa264e2ffb7a98a574220e0e20d7d40e2f1b2717584d6f260e01f89220fc"
+ checksum = "<%= @fabio_checksum %>"
}
}
@@ 27,8 43,10 @@ job "fabio" {
}
env {
- VAULT_CAPATH = "/etc/ssl/vault/ca.pem"
VAULT_ADDR = "https://vault.service.consul:8200"
+ VAULT_CAPATH = "/etc/ssl/vault/ca.pem"
+ VAULT_CLIENT_CERT = "/etc/ssl/nomad/vault.pem"
+ VAULT_CLIENT_KEY = "/etc/ssl/nomad/vault-key.pem"
}
resources {
@@ 38,6 56,7 @@ job "fabio" {
static = 9998
}
port "balancer" {
+ // TODO: if the below interpolation works, this doesn't need to be static
static = 9999
}
}
@@ 48,14 67,14 @@ job "fabio" {
driver = "raw_exec"
config {
command = "porter",
- args = ["-to", "localhost:9999"]
+ args = ["-to", "localhost:${NOMAD_PORT_fabio_balancer}"]
}
artifact {
- source = "s3::http://${MINIO_HOST}:9000/artifacts/porter/porter"
+ source = "s3::http://45.33.126.243:9000/artifacts/porter/porter"
options {
- aws_access_key_id = "${MINIO_ACCESS_KEY}"
- aws_access_key_secret = "${MINIO_SECRET_KEY}"
+ aws_access_key_id = "<%= secret('minio', 'access_key') %>"
+ aws_access_key_secret = "<%= secret('minio', 'secret_key') %>"
}
}
M services/consul.service => services/consul.service +1 -1
@@ 10,7 10,7 @@ Group=consul
ExecStartPre=+/usr/bin/mkdir -p /var/run/consul
ExecStartPre=+/usr/bin/chown -R consul:consul /var/run/consul
ExecStart=/usr/local/bin/consul agent -config-dir=/etc/consul.d/
-ExecReload=/usr/local/bin/consul reload
+ExecReload=/usr/local/bin/consul reload -ca-file=/etc/ssl/consul/ca.pem -http-addr=unix:///var/run/consul/consul_https.sock
KillMode=process
Restart=on-failure
LimitNOFILE=65536
M stackscripts/cluster-member.sh => stackscripts/cluster-member.sh +1 -0
@@ 171,6 171,7 @@ EOF
# }}}
set_hostname
+update-ca-certificates --verbose # sometimes the CA certs folder is empty, this seems to fix it
install_base_packages
create_user
systemctl enable firewalld; service firewalld start
M terraform/main.tf => terraform/main.tf +18 -0
@@ 70,6 70,24 @@ module "nomad-client" {
ca_key = var.ca_key
}
+module "nomad-client-load-balancer" {
+ source = "./nomad-client"
+
+ clients = 1
+ consul_version = "1.7.2"
+ nomad_version = "0.9.7"
+ meta = map("role", "load-balancer")
+ consul_server_ips = module.consul-server.ips
+
+ datacenter = local.region
+ image = local.image
+ instance_type = local.instance_type
+ stackscript_id = local.stackscript_id
+ authorized_users = local.authorized_users
+ ca_host = var.ca_host
+ ca_key = var.ca_key
+}
+
module "vault-server" {
source = "./vault-server"
M terraform/nomad-client/main.tf => terraform/nomad-client/main.tf +6 -0
@@ 85,6 85,12 @@ resource "linode_instance" "clients" {
# This is where SSL certs actually live on openSUSE. /etc/ssl/certs is symlinked to here
"/var/lib/ca-certificates/pem" = "/var/lib/ca-certificates/pem"
}
+
+ meta {
+ %{for key, value in var.meta~}
+ "${key}" = "${value}"
+ %{endfor~}
+ }
}
plugin "raw_exec" {
M terraform/nomad-client/variables.tf => terraform/nomad-client/variables.tf +5 -0
@@ 12,3 12,8 @@ variable ca_key { type = string }
variable consul_version { type = string }
variable nomad_version { type = string }
variable consul_server_ips { type = list(string) }
+
+variable meta {
+ type = map(string)
+ default = {}
+}