refactoring of code

Signed-off-by: Martin Buchleitner <[email protected]>

nomad/app_dynamic.hcl

@@ -54,7 +54,9 @@ job "dynamic-app" {
     Port = {{ .Port }}
     {{end}}
 
-    Database = my_app
+    {{ with secret "dynamic-app/kv/database" }}
+    Database = {{ .Data.database }}
+    {{ end }}
     {{ with secret "dynamic-app/db/creds/app" }}
     User = {{ .Data.username }}
     Password = {{ .Data.password }}

nomad/app_hardcoded.hcl

@@ -49,9 +49,9 @@ job "dynamic-app" {
     Port = {{ .Port }}
     {{end}}
 
-    Database = my_app
-    User = root
-    Password = super-duper-password
+    Database = app
+    User = app
+    Password = my-app-super-password
 EOF
       }
       resources {

nomad/app_static.hcl

@@ -55,8 +55,8 @@ job "dynamic-app" {
     Port = {{ .Port }}
     {{end}}
 
-    Database = my_app
     {{ with secret "dynamic-app/kv/database" }}
+    Database = {{ .Data.database }}
     User = {{ .Data.username }}
     Password = {{ .Data.password }}
     {{ end }}

nomad/app_transit_connect.hcl

@@ -64,7 +64,9 @@ job "dynamic-app" {
     Address = 127.0.0.1
     Port = 3306
     
-    Database = my_app
+    {{ with secret "dynamic-app/kv/database" }}
+    Database = {{ .Data.database }}
+    {{ end }}
     {{ with secret "dynamic-app/db/creds/app" }}
     User = {{ .Data.username }}
     Password = {{ .Data.password }}

nomad/app_transit_connect_traefik.hcl

@@ -15,9 +15,6 @@ job "dynamic-app" {
 
     network {
       mode = "bridge"
-      // port "web" {
-      //   to = 8080
-      // }
     }
 
     vault {
@@ -32,8 +29,8 @@ job "dynamic-app" {
       port = "8080"
       tags = ["traefik.enable=true",
         "traefik.http.routers.dynamic-app.rule=Host(`dynamic-app.127.0.0.1.nip.io`)",
-        "traefik.http.routers.dynamic-app.entrypoints=http",
-        "traefik.http.routers.dynamic-app.tls=false",
+        "traefik.http.routers.dynamic-app.entrypoints=https",
+        "traefik.http.routers.dynamic-app.tls=true",
         "traefik.connsulcatalog.connect=true"
       ]
       connect {
@@ -78,7 +75,9 @@ job "dynamic-app" {
     Address = 127.0.0.1
     Port = 3306
     
-    Database = my_app
+    {{ with secret "dynamic-app/kv/database" }}
+    Database = {{ .Data.database }}
+    {{ end }}
     {{ with secret "dynamic-app/db/creds/app" }}
     User = {{ .Data.username }}
     Password = {{ .Data.password }}

nomad/mysql.hcl

@@ -22,11 +22,17 @@ job "mysql-server" {
 
       env = {
         "MYSQL_ROOT_PASSWORD" = "super-duper-password"
+        "MYSQL_DATABASE" = "app"
+        "MYSQL_USER" = "app"
+        "MYSQL_PASSWORD" = "my-app-super-password"
       }
 
       config {
         image = "mysql:9"
         ports = ["db"]
+        volumes = [
+          "/srv/mysql/:/var/lib/mysql"
+        ]
       }
 
       resources {

nomad/mysql_connect.hcl

@@ -13,6 +13,12 @@ job "mysql-server" {
       }
     }
 
+    vault {
+      policies      = ["nomad-dynamic-app", "nomad-mysql"]
+      change_mode   = "signal"
+      change_signal = "SIGINT"
+    }
+
     restart {
       attempts = 10
       interval = "5m"
@@ -23,16 +29,31 @@ job "mysql-server" {
     task "mysql-server" {
       driver = "docker"
 
-      env = {
-        "MYSQL_ROOT_PASSWORD" = "super-duper-password"
-      }
-
       config {
         image = "mysql:9"
-
         ports = ["db"]
+        volumes = [
+          "/srv/mysql/:/var/lib/mysql"
+        ]
       }
 
+      template {
+        env = true
+        destination = "secrets/.envs"
+        change_mode = "noop"
+        env         = true
+        data        = <<EOF
+{{ with secret "dynamic-app/kv/database" }}
+MYSQL_DATABASE = "{{ .Data.database }}"
+MYSQL_USER = "{{ .Data.username }}"
+MYSQL_PASSWORD = "{{ .Data.password }}"
+{{ end }}
+
+{{ with secret "dynamic-app/kv/database_root" }}
+MYSQL_ROOT_PASSWORD = "{{ .Data.password }}"
+{{ end }}
+EOF
+      }
       resources {
         cpu    = 500
         memory = 500

nomad/mysql_static.hcl

@@ -0,0 +1,66 @@
+job "mysql-server" {
+  datacenters = ["dc1"]
+  type        = "service"
+
+  group "mysql-server" {
+    count = 1
+
+    vault {
+      policies      = ["nomad-dynamic-app", "nomad-mysql"]
+      change_mode   = "signal"
+      change_signal = "SIGINT"
+    }
+
+    service {
+      name = "mysql-server"
+      port = "db"
+    }
+
+    restart {
+      attempts = 10
+      interval = "5m"
+      delay    = "25s"
+      mode     = "delay"
+    }
+
+    task "mysql-server" {
+      driver = "docker"
+
+      config {
+        image = "mysql:9"
+        ports = ["db"]
+        volumes = [
+          "/srv/mysql/:/var/lib/mysql"
+        ]
+      }
+      template {
+        env = true
+        destination = "secrets/.envs"
+        change_mode = "noop"
+        env         = true
+        data        = <<EOF
+{{ with secret "dynamic-app/kv/database" }}
+MYSQL_DATABASE = "{{ .Data.database }}"
+MYSQL_USER = "{{ .Data.username }}"
+MYSQL_PASSWORD = "{{ .Data.password }}"
+{{ end }}
+
+{{ with secret "dynamic-app/kv/database_root" }}
+MYSQL_ROOT_PASSWORD = "{{ .Data.password }}"
+{{ end }}
+EOF
+      }
+      resources {
+        cpu    = 500
+        memory = 500
+      }
+    }
+    network {
+      mode = "bridge"
+      port "db" {
+        static = 3306
+        to     = 3306
+      }
+    }
+  }
+}

setup/vault_kv.sh

@@ -21,7 +21,8 @@ fi
 if [ "$(vault secrets list  | jq  ' . | keys' | grep "$VAULT_MOUNT" | wc -l  | tr -d ' ')" -eq 0 ]; then
   vault secrets enable -path=$VAULT_MOUNT kv 
 fi
-vault kv put $VAULT_MOUNT/database username="root" password="super-duper-password"
+vault kv put $VAULT_MOUNT/database username="app" password="my-app-super-password" database="app"
+vault kv put $VAULT_MOUNT/database_root username="root" password="super-duper-password"
 
 if [ -n "$(vault policy list | grep nomad-dynamic-app)" ]; then
   exit 0
@@ -32,3 +33,10 @@ path \"$VAULT_MOUNT/database\" {
   capabilities = [ \"read\" ] 
 }
 " | vault policy write nomad-dynamic-app - 
+
+
+echo "
+path \"$VAULT_MOUNT/database_root\" { 
+  capabilities = [ \"read\" ] 
+}
+" | vault policy write nomad-mysql -