ben
/
mgmt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
mgmt/vault-cluster-ha.nomad

458 lines
8.2 KiB
HCL
Raw Blame History

job "vault-cluster-ha" {
datacenters = ["dc1"]
type = "service"
group "vault-leader" {
count = 1
volume "vault-storage" {
type = "host"
read_only = false
source = "vault-storage"
}
constraint {
attribute = "${node.unique.name}"
operator = "="
value = "warden"
}
network {
port "http" {
static = 8200
to = 8200
}
port "cluster" {
static = 8201
to = 8201
}
}
task "vault" {
driver = "exec"
volume_mount {
volume = "vault-storage"
destination = "/opt/nomad/data/vault-storage"
read_only = false
}
resources {
cpu = 1000
memory = 2048
}
env {
VAULT_ADDR = "http://127.0.0.1:8200"
VAULT_CLUSTER_ADDR = "http://127.0.0.1:8201"
}
# Vault 集群配置 - Leader 节点
template {
data = <<EOF
ui = true
disable_mlock = true
# 使用 Consul 作为存储后端
storage "consul" {
address = "ch4.tailnet-68f9.ts.net:8500"
path = "vault/"
# 集群配置
datacenter = "dc1"
service = "vault"
service_tags = "vault-server"
# 会话配置
session_ttl = "15s"
lock_wait_time = "15s"
# 健康检查
check_timeout = "5s"
}
# HTTP 监听器
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}
# 集群监听器
listener "tcp" {
address = "0.0.0.0:8201"
purpose = "cluster"
}
# API 地址 - 使用 Tailscale 网络
api_addr = "http://warden.tailnet-68f9.ts.net:8200"
# 集群地址 - 使用 Tailscale 网络
cluster_addr = "http://warden.tailnet-68f9.ts.net:8201"
# 集群名称
cluster_name = "vault-cluster"
# 日志配置
log_level = "INFO"
# 高可用配置
ha_storage "consul" {
address = "ch4.tailnet-68f9.ts.net:8500"
path = "vault-ha/"
datacenter = "dc1"
service = "vault"
service_tags = "vault-server"
session_ttl = "15s"
lock_wait_time = "15s"
check_timeout = "5s"
}
EOF
destination = "local/vault.hcl"
perms = "644"
}
config {
command = "vault"
args = [
"server",
"-config=/local/vault.hcl"
]
}
restart {
attempts = 3
interval = "30m"
delay = "15s"
mode = "fail"
}
# 健康检查
service {
name = "vault"
port = "http"
check {
type = "http"
path = "/v1/sys/health"
interval = "10s"
timeout = "5s"
}
}
}
update {
max_parallel = 1
health_check = "checks"
min_healthy_time = "30s"
healthy_deadline = "5m"
progress_deadline = "10m"
auto_revert = true
canary = 0
}
}
group "vault-follower-1" {
count = 1
volume "vault-storage" {
type = "host"
read_only = false
source = "vault-storage"
}
constraint {
attribute = "${node.unique.name}"
operator = "="
value = "ch4"
}
network {
port "http" {
static = 8200
to = 8200
}
port "cluster" {
static = 8201
to = 8201
}
}
task "vault" {
driver = "exec"
volume_mount {
volume = "vault-storage"
destination = "/opt/nomad/data/vault-storage"
read_only = false
}
resources {
cpu = 1000
memory = 2048
}
env {
VAULT_ADDR = "http://127.0.0.1:8200"
VAULT_CLUSTER_ADDR = "http://127.0.0.1:8201"
}
# Vault 集群配置 - Follower 节点
template {
data = <<EOF
ui = true
disable_mlock = true
# 使用 Consul 作为存储后端
storage "consul" {
address = "ch4.tailnet-68f9.ts.net:8500"
path = "vault/"
# 集群配置
datacenter = "dc1"
service = "vault"
service_tags = "vault-server"
# 会话配置
session_ttl = "15s"
lock_wait_time = "15s"
# 健康检查
check_timeout = "5s"
}
# HTTP 监听器
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}
# 集群监听器
listener "tcp" {
address = "0.0.0.0:8201"
purpose = "cluster"
}
# API 地址 - 使用 Tailscale 网络
api_addr = "http://ch4.tailnet-68f9.ts.net:8200"
# 集群地址 - 使用 Tailscale 网络
cluster_addr = "http://ch4.tailnet-68f9.ts.net:8201"
# 集群名称
cluster_name = "vault-cluster"
# 日志配置
log_level = "INFO"
# 高可用配置
ha_storage "consul" {
address = "ch4.tailnet-68f9.ts.net:8500"
path = "vault-ha/"
datacenter = "dc1"
service = "vault"
service_tags = "vault-server"
session_ttl = "15s"
lock_wait_time = "15s"
check_timeout = "5s"
}
EOF
destination = "local/vault.hcl"
perms = "644"
}
config {
command = "vault"
args = [
"server",
"-config=/local/vault.hcl"
]
}
restart {
attempts = 3
interval = "30m"
delay = "15s"
mode = "fail"
}
# 健康检查
service {
name = "vault"
port = "http"
check {
type = "http"
path = "/v1/sys/health"
interval = "10s"
timeout = "5s"
}
}
}
update {
max_parallel = 1
health_check = "checks"
min_healthy_time = "30s"
healthy_deadline = "5m"
progress_deadline = "10m"
auto_revert = true
canary = 0
}
}
group "vault-follower-2" {
count = 1
volume "vault-storage" {
type = "host"
read_only = false
source = "vault-storage"
}
constraint {
attribute = "${node.unique.name}"
operator = "="
value = "ash3c"
}
network {
port "http" {
static = 8200
to = 8200
}
port "cluster" {
static = 8201
to = 8201
}
}
task "vault" {
driver = "exec"
volume_mount {
volume = "vault-storage"
destination = "/opt/nomad/data/vault-storage"
read_only = false
}
resources {
cpu = 1000
memory = 2048
}
env {
VAULT_ADDR = "http://127.0.0.1:8200"
VAULT_CLUSTER_ADDR = "http://127.0.0.1:8201"
}
# Vault 集群配置 - Follower 节点
template {
data = <<EOF
ui = true
disable_mlock = true
# 使用 Consul 作为存储后端
storage "consul" {
address = "ch4.tailnet-68f9.ts.net:8500"
path = "vault/"
# 集群配置
datacenter = "dc1"
service = "vault"
service_tags = "vault-server"
# 会话配置
session_ttl = "15s"
lock_wait_time = "15s"
# 健康检查
check_timeout = "5s"
}
# HTTP 监听器
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}
# 集群监听器
listener "tcp" {
address = "0.0.0.0:8201"
purpose = "cluster"
}
# API 地址 - 使用 Tailscale 网络
api_addr = "http://ash3c.tailnet-68f9.ts.net:8200"
# 集群地址 - 使用 Tailscale 网络
cluster_addr = "http://ash3c.tailnet-68f9.ts.net:8201"
# 集群名称
cluster_name = "vault-cluster"
# 日志配置
log_level = "INFO"
# 高可用配置
ha_storage "consul" {
address = "ch4.tailnet-68f9.ts.net:8500"
path = "vault-ha/"
datacenter = "dc1"
service = "vault"
service_tags = "vault-server"
session_ttl = "15s"
lock_wait_time = "15s"
check_timeout = "5s"
}
EOF
destination = "local/vault.hcl"
perms = "644"
}
config {
command = "vault"
args = [
"server",
"-config=/local/vault.hcl"
]
}
restart {
attempts = 3
interval = "30m"
delay = "15s"
mode = "fail"
}
# 健康检查
service {
name = "vault"
port = "http"
check {
type = "http"
path = "/v1/sys/health"
interval = "10s"
timeout = "5s"
}
}
}
update {
max_parallel = 1
health_check = "checks"
min_healthy_time = "30s"
healthy_deadline = "5m"
progress_deadline = "10m"
auto_revert = true
canary = 0
}
}
}
Reference in New Issue View Git Blame Copy Permalink