WIP: working on sidecars, it fails

hammerhead/README.md

@@ -11,15 +11,19 @@
 
 	* [x] Dummy HTTP server to have something to work with.
 	* [x] Reverse-proxy/load-balancer: nginx is a good match for a one-node deployment. Installing it with Nomad/Consul will make me practice Consul Template etc. 
+
+		SSL using nginx is pain. I undrstand the interest of traefik or fabio in that sense: their close collaboration with Nomad allow them to automate certificates generation. 
+
+		Consequently, SSL is not supported at the moment. (It would be manual using nginx.)
+
 	* [x] Generate services configuration outside the nginx service definition.
 
 		Can't do because of *separation of concerns*: files needed by nginx need to be defined in the nginx job specification.
 
-		Solution: each new service needs to add its nginx configuration to `app/nginx/config`, plus a template stanza in `app/nginx/deploy/nginx.hcl`. Lame.
+		Solution: each new web service needs:
 
-	* The services URL should be accessible from Consul using tags, instead of being hard-coded in configuration files.
+			* an nginx configuration template at `app/nginx/config`
-	* The dummy HTTP server replicas must not be accessible through the Internet.
+			* a template stanza in `app/nginx/deploy/nginx.hcl` to interpret the above template configuration. Which is lame.
-	* TLS: Let's Encrypt will probably be part of the same job definition as nginx.
 
 2. Wiki installation
 
@@ -27,7 +31,7 @@
 
 		* [x] Persistent data volume - using `host_volume` in the `client` config of Nomad (requires a restart, and it's not so fun to add volumes there).
 
-		* [ ] How can Postgres be its own job, while letting it talk to other jobs? With Consul Connect apparently.
+		* [ ] How can Postgres be its own job, while not exposing it publicly and still letting it talk to other jobs? With Consul Connect apparently.
 
 
 

hammerhead/app/countdash-example/deploy/countdash-example.hcl

@@ -0,0 +1,65 @@
+job "countdash" {
+  datacenters = ["dc1"]
+
+  group "api" {
+    network {
+      mode = "bridge"
+    }
+
+    service {
+      name = "count-api"
+      port = "9001"
+
+      connect {
+        sidecar_service {}
+      }
+    }
+
+    task "web" {
+      driver = "docker"
+
+      config {
+        image = "hashicorpnomad/counter-api:v3"
+      }
+    }
+  }
+
+  group "dashboard" {
+    network {
+      mode = "bridge"
+
+      port "http" {
+        static = 9002
+        to     = 9002
+      }
+    }
+
+    service {
+      name = "count-dashboard"
+      port = "9002"
+
+      connect {
+        sidecar_service {
+          proxy {
+            upstreams {
+              destination_name = "count-api"
+              local_bind_port  = 8080
+            }
+          }
+        }
+      }
+    }
+
+    task "dashboard" {
+      driver = "docker"
+
+      env {
+        COUNTING_SERVICE_URL = "http://${NOMAD_UPSTREAM_ADDR_count_api}"
+      }
+
+      config {
+        image = "hashicorpnomad/counter-dashboard:v3"
+      }
+    }
+  }
+}

hammerhead/app/gitea/deploy/gitea.hcl

@@ -11,6 +11,7 @@ job "gitea" {
     }
 
     network {
+      mode = "bridge"
       port "http" { to = 3000 }
       port "ssh" { to = 22 }
     }
@@ -26,6 +27,7 @@ job "gitea" {
       #   timeout  = "2s"
       # }
     }
+
     service {
       name = "gitea-ssh"
       port = "ssh"
@@ -38,6 +40,24 @@ job "gitea" {
       # }
     }
 
+    service {
+      name = "gitea-db"
+
+      connect {
+        sidecar_service {
+          proxy {
+            upstreams {
+              # Required
+              destination_name = "postgres"
+              local_bind_port = "5432"
+              # Optional
+              # local_bind_address = "127.0.0.1"
+            }
+          }
+        }
+      }
+    }
+
     task "gitea" {
       driver = "docker"
 
@@ -71,10 +91,9 @@ DB_TYPE   = "postgres"
 DB_USER   = "{{ key "secrets/postgres/gitea/user" }}"
 DB_PASSWD = "{{ key "secrets/postgres/gitea/password" }}"
 DB_NAME   = "{{ key "secrets/postgres/gitea/db_name" }}"
-DB_HOST   = "{{ with service "postgres" }}{{ with index . 0 }}{{ .Address }}:{{ .Port }}{{ end }}{{ end }}"
 EOH
 
-        destination = "secrets/env"
+        destination = "secrets/env.env"
         env         = true
         change_mode = "restart"
       }
@@ -82,6 +101,7 @@ EOH
       env {
         DOMAIN = "gitea.hammerhead.luxeylab.net"
         SSH_DOMAIN = "gitea.hammerhead.luxeylab.net"
+        DB_HOST   = "${NOMAD_UPSTREAM_ADDR_postgres}"
       }
     }
   }

hammerhead/app/postgres/deploy/postgres.hcl

@@ -14,18 +14,26 @@ job "postgres" {
     }
 
     network {
-      port "db" { static = 5432 }
+      mode = "bridge"
+      # port "db" { 
+      #   static = 5432
+      #   to = 5432 
+      # }
     }
 
     service {
       name = "postgres"
-      port = "db"
+      port = "5432"
 
-      check {
+      # check {
-        name     = "alive"
+      #   name     = "alive"
-        type     = "tcp"
+      #   type     = "tcp"
-        interval = "10s"
+      #   interval = "10s"
-        timeout  = "2s"
+      #   timeout  = "2s"
+      # }
+
+      connect {
+        sidecar_service {}
       }
     }
 
@@ -33,7 +41,7 @@ job "postgres" {
       driver = "docker"
 
       config {
-        ports = ["db"]
+        # ports = ["db"]
         image = "postgres"
       }
 
@@ -53,7 +61,7 @@ POSTGRES_USER     = "{{ key "secrets/postgres/user" }}"
 POSTGRES_PASSWORD = "{{ key "secrets/postgres/password" }}"
 EOH
 
-        destination = "secrets/env"
+        destination = "secrets/env.env"
         env         = true
         change_mode = "restart"
       }

hammerhead/os/config/consul.json

@@ -13,17 +13,21 @@
   "server": true,
   "ui": true,
   "ports": {
-     "dns": 53
+     "dns": 53,
+     "grpc": 8502
   },
   "recursors": [
     "213.186.33.99",
     "172.104.136.243"
   ],
   "encrypt": "2B2vxbfCRzu3Q29LEJAZBg==",
-  "domain": "2.cluster.deuxfleurs.fr",
+  "domain": "hammerhead.deuxfleurs.fr",
   "performance": {
     "raft_multiplier": 10,
     "rpc_hold_timeout": "30s",
     "leave_drain_time": "30s"
+  },
+  "connect": {
+    "enabled": true
   }
 }