diff options
Diffstat (limited to 'terraform-ci-infra/1n_nmd/nginx/conf/nomad/nginx.hcl')
-rw-r--r-- | terraform-ci-infra/1n_nmd/nginx/conf/nomad/nginx.hcl | 273 |
1 files changed, 273 insertions, 0 deletions
diff --git a/terraform-ci-infra/1n_nmd/nginx/conf/nomad/nginx.hcl b/terraform-ci-infra/1n_nmd/nginx/conf/nomad/nginx.hcl new file mode 100644 index 0000000000..9cb5f8ef45 --- /dev/null +++ b/terraform-ci-infra/1n_nmd/nginx/conf/nomad/nginx.hcl @@ -0,0 +1,273 @@ +job "${job_name}" { + # The "region" parameter specifies the region in which to execute the job. + # If omitted, this inherits the default region name of "global". + # region = "global" + # + # The "datacenters" parameter specifies the list of datacenters which should + # be considered when placing this task. This must be provided. + datacenters = "${datacenters}" + + # The "type" parameter controls the type of job, which impacts the scheduler's + # decision on placement. This configuration is optional and defaults to + # "service". For a full list of job types and their differences, please see + # the online documentation. + # + # For more information, please see the online documentation at: + # + # https://www.nomadproject.io/docs/jobspec/schedulers.html + # + type = "service" + + update { + # The "max_parallel" parameter specifies the maximum number of updates to + # perform in parallel. In this case, this specifies to update a single task + # at a time. + max_parallel = 0 + + # The "min_healthy_time" parameter specifies the minimum time the allocation + # must be in the healthy state before it is marked as healthy and unblocks + # further allocations from being updated. + min_healthy_time = "10s" + + # The "healthy_deadline" parameter specifies the deadline in which the + # allocation must be marked as healthy after which the allocation is + # automatically transitioned to unhealthy. Transitioning to unhealthy will + # fail the deployment and potentially roll back the job if "auto_revert" is + # set to true. + healthy_deadline = "3m" + + # The "progress_deadline" parameter specifies the deadline in which an + # allocation must be marked as healthy. The deadline begins when the first + # allocation for the deployment is created and is reset whenever an allocation + # as part of the deployment transitions to a healthy state. If no allocation + # transitions to the healthy state before the progress deadline, the + # deployment is marked as failed. + progress_deadline = "10m" + + # The "auto_revert" parameter specifies if the job should auto-revert to the + # last stable job on deployment failure. A job is marked as stable if all the + # allocations as part of its deployment were marked healthy. + auto_revert = false + + # The "canary" parameter specifies that changes to the job that would result + # in destructive updates should create the specified number of canaries + # without stopping any previous allocations. Once the operator determines the + # canaries are healthy, they can be promoted which unblocks a rolling update + # of the remaining allocations at a rate of "max_parallel". + # + # Further, setting "canary" equal to the count of the task group allows + # blue/green deployments. When the job is updated, a full set of the new + # version is deployed and upon promotion the old version is stopped. + canary = 0 + } + + # The reschedule stanza specifies the group's rescheduling strategy. If + # specified at the job level, the configuration will apply to all groups + # within the job. If the reschedule stanza is present on both the job and the + # group, they are merged with the group stanza taking the highest precedence + # and then the job. + reschedule { + delay = "30s" + delay_function = "constant" + unlimited = true + } + + # The "group" stanza defines a series of tasks that should be co-located on + # the same Nomad client. Any task within a group will be placed on the same + # client. + # + # For more information and examples on the "group" stanza, please see + # the online documentation at: + # + # https://www.nomadproject.io/docs/job-specification/group.html + # + group "prod-group1-nginx" { + # The "count" parameter specifies the number of the task groups that should + # be running under this group. This value must be non-negative and defaults + # to 1. + count = 1 + + # The restart stanza configures a tasks's behavior on task failure. Restarts + # happen on the client that is running the task. + restart { + interval = "10m" + attempts = 2 + delay = "15s" + mode = "fail" + } + + # The "task" stanza creates an individual unit of work, such as a Docker + # container, web application, or batch processing. + # + # For more information and examples on the "task" stanza, please see + # the online documentation at: + # + # https://www.nomadproject.io/docs/job-specification/task.html + # + task "prod-task1-nginx" { + # The "driver" parameter specifies the task driver that should be used to + # run the task. + driver = "docker" + + # The "config" stanza specifies the driver configuration, which is passed + # directly to the driver to start the task. The details of configurations + # are specific to each driver, so please see specific driver + # documentation for more information. + config { + image = "nginx:stable" + dns_servers = [ "$${attr.unique.network.ip-address}" ] + port_map { + https = 443 + } + privileged = false + volumes = [ + "/etc/consul.d/ssl/consul.pem:/etc/ssl/certs/nginx-cert.pem", + "/etc/consul.d/ssl/consul-key.pem:/etc/ssl/private/nginx-key.pem", + "custom/upstream.conf:/etc/nginx/conf.d/upstream.conf", + "custom/logs.conf:/etc/nginx/conf.d/logs.conf", + "custom/docs.conf:/etc/nginx/conf.d/docs.conf" + ] + } + + # The "template" stanza instructs Nomad to manage a template, such as + # a configuration file or script. This template can optionally pull data + # from Consul or Vault to populate runtime configuration data. + # + # For more information and examples on the "template" stanza, please see + # the online documentation at: + # + # https://www.nomadproject.io/docs/job-specification/template.html + # + template { + data = <<EOH + upstream storage { + server storage0.storage.service.consul:9000; + server storage1.storage.service.consul:9000; + server storage2.storage.service.consul:9000; + server storage3.storage.service.consul:9000; + } + EOH + destination = "custom/upstream.conf" + } + template { + data = <<EOH + server { + listen 443 ssl default_server; + server_name logs.nginx.service.consul; + keepalive_timeout 70; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_protocols TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384"; + ssl_certificate /etc/ssl/certs/nginx-cert.pem; + ssl_certificate_key /etc/ssl/private/nginx-key.pem; + location / { + chunked_transfer_encoding off; + proxy_connect_timeout 300; + proxy_http_version 1.1; + proxy_set_header Host $host:$server_port; + proxy_set_header Connection ""; + proxy_pass http://storage/logs.fd.io/; + server_name_in_redirect off; + } + location ~ (.*html.gz)$ { + add_header Content-Encoding gzip; + add_header Content-Type text/html; + chunked_transfer_encoding off; + proxy_connect_timeout 300; + proxy_http_version 1.1; + proxy_set_header Host $host:$server_port; + proxy_set_header Connection ""; + proxy_pass http://storage/logs.fd.io/$1; + server_name_in_redirect off; + } + location ~ (.*txt.gz|.*log.gz)$ { + add_header Content-Encoding gzip; + add_header Content-Type text/plain; + chunked_transfer_encoding off; + proxy_connect_timeout 300; + proxy_http_version 1.1; + proxy_set_header Host $host:$server_port; + proxy_set_header Connection ""; + proxy_pass http://storage/logs.fd.io/$1; + server_name_in_redirect off; + } + location ~ (.*xml.gz)$ { + add_header Content-Encoding gzip; + add_header Content-Type application/xml; + chunked_transfer_encoding off; + proxy_connect_timeout 300; + proxy_http_version 1.1; + proxy_set_header Host $host:$server_port; + proxy_set_header Connection ""; + proxy_pass http://storage/logs.fd.io/$1; + server_name_in_redirect off; + } + } + EOH + destination = "custom/logs.conf" + } + template { + data = <<EOH + server { + listen 443 ssl; + server_name docs.nginx.service.consul; + keepalive_timeout 70; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_protocols TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384"; + ssl_certificate /etc/ssl/certs/nginx-cert.pem; + ssl_certificate_key /etc/ssl/private/nginx-key.pem; + location / { + chunked_transfer_encoding off; + proxy_connect_timeout 300; + proxy_http_version 1.1; + proxy_set_header Host $host:$server_port; + proxy_set_header Connection ""; + proxy_pass http://storage/docs.fd.io/; + server_name_in_redirect off; + } + } + EOH + destination = "custom/docs.conf" + } + + # The service stanza instructs Nomad to register a service with Consul. + # + # For more information and examples on the "task" stanza, please see + # the online documentation at: + # + # https://www.nomadproject.io/docs/job-specification/service.html + # + service { + name = "nginx" + port = "https" + tags = [ "docs", "logs" ] + } + + # The "resources" stanza describes the requirements a task needs to + # execute. Resource requirements include memory, network, cpu, and more. + # This ensures the task will execute on a machine that contains enough + # resource capacity. + # + # For more information and examples on the "resources" stanza, please see + # the online documentation at: + # + # https://www.nomadproject.io/docs/job-specification/resources.html + # + resources { + cpu = 1000 + memory = 1024 + network { + mode = "bridge" + port "https" { + static = 443 + } + } + } + } + } +}
\ No newline at end of file |