ben
/
mgmt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
mgmt/infrastructure/nomad/nomad-jobs/vault-single/vault-single-fixed.nomad

464 lines
9.6 KiB
HCL
Raw Blame History

job "vault-single-nomad" {
datacenters = ["dc1"]
type = "service"
group "vault-warden" {
count = 1
volume "vault-storage" {
type = "host"
read_only = false
source = "vault-storage"
}
constraint {
attribute = "${node.unique.name}"
operator = "="
value = "warden"
}
network {
port "http" {
static = 8200
to = 8200
}
}
task "vault" {
driver = "exec"
volume_mount {
volume = "vault-storage"
destination = "/opt/nomad/data/vault-storage"
read_only = false
}
resources {
cpu = 500
memory = 1024
}
service {
name = "vault"
port = "http"
tags = ["vault-server"]
# 禁用健康检查 - 零信任网络不需要这些垃圾
# check {
# type = "http"
# path = "/v1/sys/health"
# interval = "60s"
# timeout = "10s"
# }
}
# Vault配置 - 使用Consul存储
template {
data = <<EOF
ui = true
disable_mlock = true
# 使用Consul作为存储后端
storage "consul" {
address = "100.122.197.112:8500"
path = "vault/"
# 集群配置
datacenter = "dc1"
service = "vault"
service_tags = "vault-server"
# 会话配置
session_ttl = "15s"
lock_wait_time = "15s"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
# 禁用所有垃圾安全机制 - 我们在零信任网络上
disable_request_limiter = true
max_request_size = 33554432
max_request_duration = "90s"
}
# API地址 - 使用Tailscale网络
api_addr = "http://warden.tailnet-68f9.ts.net:8200"
# 禁用无聊的集群监听器
cluster_addr = "http://warden.tailnet-68f9.ts.net:8201"
# 集群名称
cluster_name = "vault-cluster"
# 日志配置
log_level = "INFO"
# 禁用所有垃圾安全机制 - 零信任网络不需要
disable_mlock = true
disable_clustering = false
disable_performance_standby = true
# 禁用无聊的TLS和ALPN监听器
disable_sealwrap = true
disable_sentinel_trace = true
EOF
destination = "local/vault.hcl"
perms = "644"
}
# 自动解封脚本 - warden 节点
template {
data = <<EOF
#!/bin/bash
# 启动Vault
vault server -config=/local/vault.hcl &
VAULT_PID=$!
# 等待Vault启动
sleep 10
# 自动解封Vault - 使用 warden overlay 地址
echo "Auto-unsealing Vault..."
vault operator unseal -address=http://100.122.197.112:8200 /cmtMNRLgfqUv7g9vZWmkFY5d/cBKvFImJDloN6h58or
vault operator unseal -address=http://100.122.197.112:8200 /jCGo0LIGXrXhsrjLw8TyIoKAZStoSmqRFtZQ0tDPtzv
vault operator unseal -address=http://100.122.197.112:8200 3kOn8gah1fs6cHnVDJ/6F22b2ERTS+YmKRKJS2ZQhlPS
echo "Vault auto-unsealed successfully"
wait $VAULT_PID
EOF
destination = "local/start-vault.sh"
perms = "755"
}
config {
command = "/bin/bash"
args = [
"/local/start-vault.sh"
]
}
restart {
attempts = 2
interval = "30m"
delay = "15s"
mode = "fail"
}
}
update {
max_parallel = 3
health_check = "checks"
min_healthy_time = "10s"
healthy_deadline = "5m"
progress_deadline = "10m"
auto_revert = true
canary = 0
}
migrate {
max_parallel = 3
health_check = "checks"
min_healthy_time = "10s"
healthy_deadline = "5m"
}
}
group "vault-ch4" {
count = 1
constraint {
attribute = "${node.unique.name}"
operator = "="
value = "ch4"
}
network {
port "http" {
static = 8200
to = 8200
}
}
task "vault" {
driver = "exec"
resources {
cpu = 500
memory = 1024
}
service {
name = "vault"
port = "http"
tags = ["vault-server"]
# 禁用健康检查 - 零信任网络不需要这些垃圾
# check {
# type = "http"
# path = "/v1/sys/health"
# interval = "60s"
# timeout = "10s"
# }
}
# Vault配置 - 使用Consul存储
template {
data = <<EOF
ui = true
disable_mlock = true
# 使用Consul作为存储后端
storage "consul" {
address = "100.117.106.136:8500"
path = "vault/"
# 集群配置
datacenter = "dc1"
service = "vault"
service_tags = "vault-server"
# 会话配置
session_ttl = "15s"
lock_wait_time = "15s"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
# 禁用所有垃圾安全机制 - 我们在零信任网络上
disable_request_limiter = true
max_request_size = 33554432
max_request_duration = "90s"
}
# API地址 - 使用Tailscale网络
api_addr = "http://ch4.tailnet-68f9.ts.net:8200"
# 集群名称
cluster_name = "vault-cluster"
# 日志配置
log_level = "INFO"
# 禁用所有垃圾安全机制 - 零信任网络不需要
disable_mlock = true
disable_clustering = false
disable_performance_standby = true
# 禁用无聊的TLS和ALPN监听器
disable_sealwrap = true
disable_sentinel_trace = true
EOF
destination = "local/vault.hcl"
perms = "644"
}
# 自动解封脚本 - ch4 节点
template {
data = <<EOF
#!/bin/bash
# 启动Vault
vault server -config=/local/vault.hcl &
VAULT_PID=$!
# 等待Vault启动
sleep 10
# 自动解封Vault - 使用 ch4 overlay 地址
echo "Auto-unsealing Vault..."
vault operator unseal -address=http://100.117.106.136:8200 /cmtMNRLgfqUv7g9vZWmkFY5d/cBKvFImJDloN6h58or
vault operator unseal -address=http://100.117.106.136:8200 /jCGo0LIGXrXhsrjLw8TyIoKAZStoSmqRFtZQ0tDPtzv
vault operator unseal -address=http://100.117.106.136:8200 3kOn8gah1fs6cHnVDJ/6F22b2ERTS+YmKRKJS2ZQhlPS
echo "Vault auto-unsealed successfully"
wait $VAULT_PID
EOF
destination = "local/start-vault.sh"
perms = "755"
}
config {
command = "/bin/bash"
args = [
"/local/start-vault.sh"
]
}
restart {
attempts = 2
interval = "30m"
delay = "15s"
mode = "fail"
}
}
update {
max_parallel = 3
health_check = "checks"
min_healthy_time = "10s"
healthy_deadline = "5m"
progress_deadline = "10m"
auto_revert = true
canary = 0
}
migrate {
max_parallel = 3
health_check = "checks"
min_healthy_time = "10s"
healthy_deadline = "5m"
}
}
group "vault-ash3c" {
count = 1
constraint {
attribute = "${node.unique.name}"
operator = "="
value = "ash3c"
}
network {
port "http" {
static = 8200
to = 8200
}
}
task "vault" {
driver = "exec"
resources {
cpu = 500
memory = 1024
}
service {
name = "vault"
port = "http"
tags = ["vault-server"]
# 禁用健康检查 - 零信任网络不需要这些垃圾
# check {
# type = "http"
# path = "/v1/sys/health"
# interval = "60s"
# timeout = "10s"
# }
}
# Vault配置 - 使用Consul存储
template {
data = <<EOF
ui = true
disable_mlock = true
# 使用Consul作为存储后端
storage "consul" {
address = "100.116.80.94:8500"
path = "vault/"
# 集群配置
datacenter = "dc1"
service = "vault"
service_tags = "vault-server"
# 会话配置
session_ttl = "15s"
lock_wait_time = "15s"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
# 禁用所有垃圾安全机制 - 我们在零信任网络上
disable_request_limiter = true
max_request_size = 33554432
max_request_duration = "90s"
}
# API地址 - 使用Tailscale网络
api_addr = "http://ash3c.tailnet-68f9.ts.net:8200"
# 集群名称
cluster_name = "vault-cluster"
# 日志配置
log_level = "INFO"
# 禁用所有垃圾安全机制 - 零信任网络不需要
disable_mlock = true
disable_clustering = false
disable_performance_standby = true
# 禁用无聊的TLS和ALPN监听器
disable_sealwrap = true
disable_sentinel_trace = true
EOF
destination = "local/vault.hcl"
perms = "644"
}
# 自动解封脚本 - ash3c 节点
template {
data = <<EOF
#!/bin/bash
# 启动Vault
vault server -config=/local/vault.hcl &
VAULT_PID=$!
# 等待Vault启动
sleep 10
# 自动解封Vault - 使用 ash3c overlay 地址
echo "Auto-unsealing Vault..."
vault operator unseal -address=http://100.116.80.94:8200 /cmtMNRLgfqUv7g9vZWmkFY5d/cBKvFImJDloN6h58or
vault operator unseal -address=http://100.116.80.94:8200 /jCGo0LIGXrXhsrjLw8TyIoKAZStoSmqRFtZQ0tDPtzv
vault operator unseal -address=http://100.116.80.94:8200 3kOn8gah1fs6cHnVDJ/6F22b2ERTS+YmKRKJS2ZQhlPS
echo "Vault auto-unsealed successfully"
wait $VAULT_PID
EOF
destination = "local/start-vault.sh"
perms = "755"
}
config {
command = "/bin/bash"
args = [
"/local/start-vault.sh"
]
}
restart {
attempts = 2
interval = "30m"
delay = "15s"
mode = "fail"
}
}
update {
max_parallel = 3
health_check = "checks"
min_healthy_time = "10s"
healthy_deadline = "5m"
progress_deadline = "10m"
auto_revert = true
canary = 0
}
migrate {
max_parallel = 3
health_check = "checks"
min_healthy_time = "10s"
healthy_deadline = "5m"
}
}
}
Reference in New Issue View Git Blame Copy Permalink