diff --git a/hammerhead/README.md b/hammerhead/README.md index c6834c7..92cc3b5 100644 --- a/hammerhead/README.md +++ b/hammerhead/README.md @@ -11,15 +11,19 @@ * [x] Dummy HTTP server to have something to work with. * [x] Reverse-proxy/load-balancer: nginx is a good match for a one-node deployment. Installing it with Nomad/Consul will make me practice Consul Template etc. + + SSL using nginx is pain. I undrstand the interest of traefik or fabio in that sense: their close collaboration with Nomad allow them to automate certificates generation. + + Consequently, SSL is not supported at the moment. (It would be manual using nginx.) + * [x] Generate services configuration outside the nginx service definition. Can't do because of *separation of concerns*: files needed by nginx need to be defined in the nginx job specification. - Solution: each new service needs to add its nginx configuration to `app/nginx/config`, plus a template stanza in `app/nginx/deploy/nginx.hcl`. Lame. + Solution: each new web service needs: - * The services URL should be accessible from Consul using tags, instead of being hard-coded in configuration files. - * The dummy HTTP server replicas must not be accessible through the Internet. - * TLS: Let's Encrypt will probably be part of the same job definition as nginx. + * an nginx configuration template at `app/nginx/config` + * a template stanza in `app/nginx/deploy/nginx.hcl` to interpret the above template configuration. Which is lame. 2. Wiki installation @@ -27,7 +31,7 @@ * [x] Persistent data volume - using `host_volume` in the `client` config of Nomad (requires a restart, and it's not so fun to add volumes there). - * [ ] How can Postgres be its own job, while letting it talk to other jobs? With Consul Connect apparently. + * [ ] How can Postgres be its own job, while not exposing it publicly and still letting it talk to other jobs? With Consul Connect apparently. diff --git a/hammerhead/app/countdash-example/deploy/countdash-example.hcl b/hammerhead/app/countdash-example/deploy/countdash-example.hcl new file mode 100644 index 0000000..92cff7d --- /dev/null +++ b/hammerhead/app/countdash-example/deploy/countdash-example.hcl @@ -0,0 +1,65 @@ +job "countdash" { + datacenters = ["dc1"] + + group "api" { + network { + mode = "bridge" + } + + service { + name = "count-api" + port = "9001" + + connect { + sidecar_service {} + } + } + + task "web" { + driver = "docker" + + config { + image = "hashicorpnomad/counter-api:v3" + } + } + } + + group "dashboard" { + network { + mode = "bridge" + + port "http" { + static = 9002 + to = 9002 + } + } + + service { + name = "count-dashboard" + port = "9002" + + connect { + sidecar_service { + proxy { + upstreams { + destination_name = "count-api" + local_bind_port = 8080 + } + } + } + } + } + + task "dashboard" { + driver = "docker" + + env { + COUNTING_SERVICE_URL = "http://${NOMAD_UPSTREAM_ADDR_count_api}" + } + + config { + image = "hashicorpnomad/counter-dashboard:v3" + } + } + } +} \ No newline at end of file diff --git a/hammerhead/app/gitea/deploy/gitea.hcl b/hammerhead/app/gitea/deploy/gitea.hcl index 3b59cbc..9f6e1db 100644 --- a/hammerhead/app/gitea/deploy/gitea.hcl +++ b/hammerhead/app/gitea/deploy/gitea.hcl @@ -11,6 +11,7 @@ job "gitea" { } network { + mode = "bridge" port "http" { to = 3000 } port "ssh" { to = 22 } } @@ -26,6 +27,7 @@ job "gitea" { # timeout = "2s" # } } + service { name = "gitea-ssh" port = "ssh" @@ -38,6 +40,24 @@ job "gitea" { # } } + service { + name = "gitea-db" + + connect { + sidecar_service { + proxy { + upstreams { + # Required + destination_name = "postgres" + local_bind_port = "5432" + # Optional + # local_bind_address = "127.0.0.1" + } + } + } + } + } + task "gitea" { driver = "docker" @@ -71,10 +91,9 @@ DB_TYPE = "postgres" DB_USER = "{{ key "secrets/postgres/gitea/user" }}" DB_PASSWD = "{{ key "secrets/postgres/gitea/password" }}" DB_NAME = "{{ key "secrets/postgres/gitea/db_name" }}" -DB_HOST = "{{ with service "postgres" }}{{ with index . 0 }}{{ .Address }}:{{ .Port }}{{ end }}{{ end }}" EOH - destination = "secrets/env" + destination = "secrets/env.env" env = true change_mode = "restart" } @@ -82,6 +101,7 @@ EOH env { DOMAIN = "gitea.hammerhead.luxeylab.net" SSH_DOMAIN = "gitea.hammerhead.luxeylab.net" + DB_HOST = "${NOMAD_UPSTREAM_ADDR_postgres}" } } } diff --git a/hammerhead/app/postgres/deploy/postgres.hcl b/hammerhead/app/postgres/deploy/postgres.hcl index 19e0e0a..6307056 100644 --- a/hammerhead/app/postgres/deploy/postgres.hcl +++ b/hammerhead/app/postgres/deploy/postgres.hcl @@ -14,18 +14,26 @@ job "postgres" { } network { - port "db" { static = 5432 } + mode = "bridge" + # port "db" { + # static = 5432 + # to = 5432 + # } } service { name = "postgres" - port = "db" + port = "5432" - check { - name = "alive" - type = "tcp" - interval = "10s" - timeout = "2s" + # check { + # name = "alive" + # type = "tcp" + # interval = "10s" + # timeout = "2s" + # } + + connect { + sidecar_service {} } } @@ -33,7 +41,7 @@ job "postgres" { driver = "docker" config { - ports = ["db"] + # ports = ["db"] image = "postgres" } @@ -53,7 +61,7 @@ POSTGRES_USER = "{{ key "secrets/postgres/user" }}" POSTGRES_PASSWORD = "{{ key "secrets/postgres/password" }}" EOH - destination = "secrets/env" + destination = "secrets/env.env" env = true change_mode = "restart" } diff --git a/hammerhead/os/config/consul.json b/hammerhead/os/config/consul.json index aab2c2b..7abcabc 100644 --- a/hammerhead/os/config/consul.json +++ b/hammerhead/os/config/consul.json @@ -13,17 +13,21 @@ "server": true, "ui": true, "ports": { - "dns": 53 + "dns": 53, + "grpc": 8502 }, "recursors": [ "213.186.33.99", "172.104.136.243" ], "encrypt": "2B2vxbfCRzu3Q29LEJAZBg==", - "domain": "2.cluster.deuxfleurs.fr", + "domain": "hammerhead.deuxfleurs.fr", "performance": { "raft_multiplier": 10, "rpc_hold_timeout": "30s", "leave_drain_time": "30s" + }, + "connect": { + "enabled": true } }