mgmt/components/vault/jobs/vault-cluster-podman.nomad

job "vault-cluster" {
  datacenters = ["dc1"]
  type = "service"

  group "vault-servers" {
    count = 3

    constraint {
      attribute = "${node.unique.name}"
      operator  = "regexp"
      value     = "(warden|ash3c|master)"
    }

    task "vault" {
      driver = "podman"

      config {
        image = "hashicorp/vault:latest"
        ports = ["api", "cluster"]
        
        # 确保容器在退出时不会自动重启
        command = "vault"
        args = [
          "server",
          "-config=/vault/config/vault.hcl"
        ]
        
        # 容器网络设置
        network_mode = "host"
        
        # 安全设置
        cap_add = ["IPC_LOCK"]
      }

      template {
        data = <<EOH
storage "consul" {
  address = "localhost:8500"
  path    = "vault/"
  token   = "{{ with secret "consul/creds/vault" }}{{ .Data.token }}{{ end }}"
}

listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = 1  # 生产环境应启用TLS
}

api_addr = "http://{{ env "NOMAD_IP_api" }}:8200"
cluster_addr = "http://{{ env "NOMAD_IP_cluster" }}:8201"

ui = true
disable_mlock = true
EOH
        destination = "vault/config/vault.hcl"
      }

      volume_mount {
        volume      = "vault-data"
        destination = "/vault/data"
        read_only   = false
      }

      resources {
        cpu    = 500
        memory = 1024
        
        network {
          mbits = 10
          port "api" { static = 8200 }
          port "cluster" { static = 8201 }
        }
      }

      service {
        name = "vault"
        port = "api"
        
        check {
          name     = "vault-health"
          type     = "http"
          path     = "/v1/sys/health"
          interval = "10s"
          timeout  = "2s"
        }
      }
    }

    volume "vault-data" {
      type      = "host"
      read_only = false
      source    = "vault-data"
    }
  }
}