~damien/infrastructure

ref: b481ba41c3bbdf8d4f9c0393f87b495160adc414 infrastructure/jobs/fabio.nomad.erb -rw-r--r-- 2.4 KiB
b481ba41 — Damien Radtke Suppress cluster env output if non-interactive 5 months ago 
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
<%
  @fabio_version  = "1.5.13"
  @golang_version = "1.13.4"
  @fabio_checksum = "sha256:716aaa264e2ffb7a98a574220e0e20d7d40e2f1b2717584d6f260e01f89220fc"
%>

job "fabio" {
	region = "global"
	datacenters = ["ca-central"]
	type = "service"

	group "fabio" {
		constraint {
			attribute = "${node.class}"
			value     = "load-balancer"
		}

		task "fabio" {
			driver = "exec"
			user   = "fabio"
			config {
				command = "fabio-<%= @fabio_version %>-go<%= @golang_version %>-linux_amd64",
				// TODO: this currently fails because consul-key.pem is not readable
				// Need to figure out a way to get fabio a client cert
				args = [
					"-registry.consul.addr", "https://localhost:8501",
					"-registry.consul.tls.cafile", "/etc/ssl/consul/ca.pem",
					"-registry.consul.tls.certfile", "/etc/ssl/fabio/consul.pem",
					"-registry.consul.tls.keyfile", "/etc/ssl/fabio/consul-key.pem",
					"-proxy.cs", "cs=mycerts;type=vault;cert=secret/fabio/certs",
					"-proxy.addr", ":${NOMAD_PORT_balancer};cs=mycerts",
				]
			}

			artifact {
				source = "https://github.com/fabiolb/fabio/releases/download/v<%= @fabio_version %>/fabio-<%= @fabio_version %>-go<%= @golang_version %>-linux_amd64"
				options {
					checksum = "<%= @fabio_checksum %>"
				}
			}

			vault {
				policies = ["fabio"]
			}

			env {
				VAULT_ADDR = "https://vault.service.consul:8200"
				VAULT_CAPATH = "/etc/ssl/vault/ca.pem"
				VAULT_CLIENT_CERT = "/etc/ssl/fabio/vault.pem"
				VAULT_CLIENT_KEY = "/etc/ssl/fabio/vault-key.pem"
			}

			resources {
				memory = 50  # MB
				network {
					port "ui" {
						static = 9998
					}
					port "balancer" {
						// TODO: if the below interpolation works, this doesn't need to be static
						static = 9999
					}
				}
			}
		}

		task "porter" {
			driver = "raw_exec"
			config {
				command = "porter",
				args = [
					"-to", "localhost:${NOMAD_PORT_fabio_balancer}",
					"-http-redirect", "photos.radtke.family=https://radtke-family.synology.me:4430/photo/",
				]
			}

			artifact {
				source = "s3::http://45.33.126.243:9000/artifacts/bin/porter"
				options {
					aws_access_key_id = "<%= secret('minio', 'access_key') %>"
					aws_access_key_secret = "<%= secret('minio', 'secret_key') %>"
				}
			}

			resources {
				memory = 50  # MB
				network {
					port "http" {
						static = 80
					}
					port "https" {
						static = 443
					}
				}
			}
		}
	}
}

// vim: set tabstop=4 shiftwidth=4: