~damien/infrastructure

5243f3ead031b068bd2b830059067bcdc0ba23c3 — Damien Radtke 10 months ago 031d9b9
Fabio is finally running again!
3 files changed, 26 insertions(+), 4 deletions(-)

M jobs/fabio.nomad.erb
A policies/fabio.hcl
M terraform/nomad-client/main.tf
M jobs/fabio.nomad.erb => jobs/fabio.nomad.erb +5 -4
@@ 17,6 17,7 @@ job "fabio" {

		task "fabio" {
			driver = "exec"
			user   = "fabio"
			config {
				command = "fabio-<%= @fabio_version %>-go<%= @golang_version %>-linux_amd64",
				// TODO: this currently fails because consul-key.pem is not readable


@@ 24,8 25,8 @@ job "fabio" {
				args = [
					"-registry.consul.addr", "https://localhost:8501",
					"-registry.consul.tls.cafile", "/etc/ssl/consul/ca.pem",
					"-registry.consul.tls.certfile", "/etc/ssl/nomad/consul.pem",
					"-registry.consul.tls.keyfile", "/etc/ssl/nomad/consul-key.pem",
					"-registry.consul.tls.certfile", "/etc/ssl/fabio/consul.pem",
					"-registry.consul.tls.keyfile", "/etc/ssl/fabio/consul-key.pem",
					"-proxy.cs", "cs=mycerts;type=vault;cert=secret/fabio/certs",
					"-proxy.addr", ":${NOMAD_PORT_balancer};cs=mycerts",
				]


@@ 45,8 46,8 @@ job "fabio" {
			env {
				VAULT_ADDR = "https://vault.service.consul:8200"
				VAULT_CAPATH = "/etc/ssl/vault/ca.pem"
				VAULT_CLIENT_CERT = "/etc/ssl/nomad/vault.pem"
				VAULT_CLIENT_KEY = "/etc/ssl/nomad/vault-key.pem"
				VAULT_CLIENT_CERT = "/etc/ssl/fabio/vault.pem"
				VAULT_CLIENT_KEY = "/etc/ssl/fabio/vault-key.pem"
			}

			resources {

A policies/fabio.hcl => policies/fabio.hcl +7 -0
@@ 0,0 1,7 @@
path "secret/metadata/fabio/certs" {
  capabilities = ["list"]
}

path "secret/data/fabio/certs/*" {
  capabilities = ["read"]
}

M terraform/nomad-client/main.tf => terraform/nomad-client/main.tf +14 -0
@@ 179,6 179,17 @@ resource "linode_instance" "clients" {
    ]
  }

	// set up fabio cert directory and user
  provisioner "remote-exec" {
    connection { host = split("/", self.ipv6)[0] }
    inline = [
			"groupadd fabio",
      "useradd --gid fabio fabio",
      "mkdir -p --mode=0500 /etc/ssl/fabio",
			"chown fabio:fabio /etc/ssl/fabio",
    ]
  }

  // issue certs
  provisioner "remote-exec" {
    connection { host = split("/", self.ipv6)[0] }


@@ 189,6 200,9 @@ resource "linode_instance" "clients" {
      "/usr/local/bin/issue-cert.sh --user nomad --ca nomad --name nomad --hostnames client.global.nomad",
      "/usr/local/bin/issue-cert.sh --user nomad --ca consul --name consul",
      "/usr/local/bin/issue-cert.sh --user nomad --ca vault --name vault",
			// These last two enable Fabio to communicate with Consul and Vault while running.
      "/usr/local/bin/issue-cert.sh --user fabio --ca consul --name consul",
      "/usr/local/bin/issue-cert.sh --user fabio --ca vault --name vault",
    ]
  }