WIP: working on sidecars, it fails

This commit is contained in:
LUXEY Adrien 2021-06-06 13:40:04 +02:00
parent 66818430bb
commit 213e42f4ad
5 changed files with 119 additions and 18 deletions

View file

@ -11,15 +11,19 @@
* [x] Dummy HTTP server to have something to work with. * [x] Dummy HTTP server to have something to work with.
* [x] Reverse-proxy/load-balancer: nginx is a good match for a one-node deployment. Installing it with Nomad/Consul will make me practice Consul Template etc. * [x] Reverse-proxy/load-balancer: nginx is a good match for a one-node deployment. Installing it with Nomad/Consul will make me practice Consul Template etc.
SSL using nginx is pain. I undrstand the interest of traefik or fabio in that sense: their close collaboration with Nomad allow them to automate certificates generation.
Consequently, SSL is not supported at the moment. (It would be manual using nginx.)
* [x] Generate services configuration outside the nginx service definition. * [x] Generate services configuration outside the nginx service definition.
Can't do because of *separation of concerns*: files needed by nginx need to be defined in the nginx job specification. Can't do because of *separation of concerns*: files needed by nginx need to be defined in the nginx job specification.
Solution: each new service needs to add its nginx configuration to `app/nginx/config`, plus a template stanza in `app/nginx/deploy/nginx.hcl`. Lame. Solution: each new web service needs:
* The services URL should be accessible from Consul using tags, instead of being hard-coded in configuration files. * an nginx configuration template at `app/nginx/config`
* The dummy HTTP server replicas must not be accessible through the Internet. * a template stanza in `app/nginx/deploy/nginx.hcl` to interpret the above template configuration. Which is lame.
* TLS: Let's Encrypt will probably be part of the same job definition as nginx.
2. Wiki installation 2. Wiki installation
@ -27,7 +31,7 @@
* [x] Persistent data volume - using `host_volume` in the `client` config of Nomad (requires a restart, and it's not so fun to add volumes there). * [x] Persistent data volume - using `host_volume` in the `client` config of Nomad (requires a restart, and it's not so fun to add volumes there).
* [ ] How can Postgres be its own job, while letting it talk to other jobs? With Consul Connect apparently. * [ ] How can Postgres be its own job, while not exposing it publicly and still letting it talk to other jobs? With Consul Connect apparently.

View file

@ -0,0 +1,65 @@
job "countdash" {
datacenters = ["dc1"]
group "api" {
network {
mode = "bridge"
}
service {
name = "count-api"
port = "9001"
connect {
sidecar_service {}
}
}
task "web" {
driver = "docker"
config {
image = "hashicorpnomad/counter-api:v3"
}
}
}
group "dashboard" {
network {
mode = "bridge"
port "http" {
static = 9002
to = 9002
}
}
service {
name = "count-dashboard"
port = "9002"
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "count-api"
local_bind_port = 8080
}
}
}
}
}
task "dashboard" {
driver = "docker"
env {
COUNTING_SERVICE_URL = "http://${NOMAD_UPSTREAM_ADDR_count_api}"
}
config {
image = "hashicorpnomad/counter-dashboard:v3"
}
}
}
}

View file

@ -11,6 +11,7 @@ job "gitea" {
} }
network { network {
mode = "bridge"
port "http" { to = 3000 } port "http" { to = 3000 }
port "ssh" { to = 22 } port "ssh" { to = 22 }
} }
@ -26,6 +27,7 @@ job "gitea" {
# timeout = "2s" # timeout = "2s"
# } # }
} }
service { service {
name = "gitea-ssh" name = "gitea-ssh"
port = "ssh" port = "ssh"
@ -38,6 +40,24 @@ job "gitea" {
# } # }
} }
service {
name = "gitea-db"
connect {
sidecar_service {
proxy {
upstreams {
# Required
destination_name = "postgres"
local_bind_port = "5432"
# Optional
# local_bind_address = "127.0.0.1"
}
}
}
}
}
task "gitea" { task "gitea" {
driver = "docker" driver = "docker"
@ -71,10 +91,9 @@ DB_TYPE = "postgres"
DB_USER = "{{ key "secrets/postgres/gitea/user" }}" DB_USER = "{{ key "secrets/postgres/gitea/user" }}"
DB_PASSWD = "{{ key "secrets/postgres/gitea/password" }}" DB_PASSWD = "{{ key "secrets/postgres/gitea/password" }}"
DB_NAME = "{{ key "secrets/postgres/gitea/db_name" }}" DB_NAME = "{{ key "secrets/postgres/gitea/db_name" }}"
DB_HOST = "{{ with service "postgres" }}{{ with index . 0 }}{{ .Address }}:{{ .Port }}{{ end }}{{ end }}"
EOH EOH
destination = "secrets/env" destination = "secrets/env.env"
env = true env = true
change_mode = "restart" change_mode = "restart"
} }
@ -82,6 +101,7 @@ EOH
env { env {
DOMAIN = "gitea.hammerhead.luxeylab.net" DOMAIN = "gitea.hammerhead.luxeylab.net"
SSH_DOMAIN = "gitea.hammerhead.luxeylab.net" SSH_DOMAIN = "gitea.hammerhead.luxeylab.net"
DB_HOST = "${NOMAD_UPSTREAM_ADDR_postgres}"
} }
} }
} }

View file

@ -14,18 +14,26 @@ job "postgres" {
} }
network { network {
port "db" { static = 5432 } mode = "bridge"
# port "db" {
# static = 5432
# to = 5432
# }
} }
service { service {
name = "postgres" name = "postgres"
port = "db" port = "5432"
check { # check {
name = "alive" # name = "alive"
type = "tcp" # type = "tcp"
interval = "10s" # interval = "10s"
timeout = "2s" # timeout = "2s"
# }
connect {
sidecar_service {}
} }
} }
@ -33,7 +41,7 @@ job "postgres" {
driver = "docker" driver = "docker"
config { config {
ports = ["db"] # ports = ["db"]
image = "postgres" image = "postgres"
} }
@ -53,7 +61,7 @@ POSTGRES_USER = "{{ key "secrets/postgres/user" }}"
POSTGRES_PASSWORD = "{{ key "secrets/postgres/password" }}" POSTGRES_PASSWORD = "{{ key "secrets/postgres/password" }}"
EOH EOH
destination = "secrets/env" destination = "secrets/env.env"
env = true env = true
change_mode = "restart" change_mode = "restart"
} }

View file

@ -13,17 +13,21 @@
"server": true, "server": true,
"ui": true, "ui": true,
"ports": { "ports": {
"dns": 53 "dns": 53,
"grpc": 8502
}, },
"recursors": [ "recursors": [
"213.186.33.99", "213.186.33.99",
"172.104.136.243" "172.104.136.243"
], ],
"encrypt": "2B2vxbfCRzu3Q29LEJAZBg==", "encrypt": "2B2vxbfCRzu3Q29LEJAZBg==",
"domain": "2.cluster.deuxfleurs.fr", "domain": "hammerhead.deuxfleurs.fr",
"performance": { "performance": {
"raft_multiplier": 10, "raft_multiplier": 10,
"rpc_hold_timeout": "30s", "rpc_hold_timeout": "30s",
"leave_drain_time": "30s" "leave_drain_time": "30s"
},
"connect": {
"enabled": true
} }
} }