Page MenuHomeDevCentral

D2761.id7581.diff
No OneTemporary

D2761.id7581.diff

diff --git a/PORTS b/PORTS
--- a/PORTS
+++ b/PORTS
@@ -46,6 +46,7 @@
46080 Airflow - HTTP
46555 Airflow - Flower
47080 Jenkins HTTP - Test
+ 48080 Vault - Notifications - Integration
50000 Jenkins controller's port for JNLP-based Jenkins agents - CD
52000 Jenkins controller's port for JNLP-based Jenkins agents - Test
55000 Jenkins controller's port for JNKP-based Jenkins agents - CI
diff --git a/pillar/credentials/vault.sls b/pillar/credentials/vault.sls
--- a/pillar/credentials/vault.sls
+++ b/pillar/credentials/vault.sls
@@ -186,6 +186,12 @@
- ops/secrets/nasqueron/airflow/sentry
- ops/secrets/dbserver/cluster-A/users/airflow
+ - ops/secrets/nasqueron/rabbitmq/orange-rabbit/erlang-cookie
+ - ops/secrets/nasqueron/rabbitmq/orange-rabbit/root
+
+ - ops/secrets/nasqueron/rabbitmq/orange-rabbit/notifications
+ - ops/secrets/nasqueron.notifications.sentry
+
#
# Credentials used by projects hosted by Nasqueron
# Format: <project name>.<service>.<type>
diff --git a/pillar/paas/docker/dwellers/notifications.sls b/pillar/paas/docker/dwellers/notifications.sls
new file mode 100644
--- /dev/null
+++ b/pillar/paas/docker/dwellers/notifications.sls
@@ -0,0 +1,52 @@
+# -------------------------------------------------------------
+# Salt — Provision Docker engine
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Service: Sentry
+# -------------------------------------------------------------
+
+docker_aliases:
+ - &ipv4_dwellers_restricted 172.27.27.4
+
+docker_images:
+ - nasqueron/notifications
+ - nasqueron/rabbitmq
+ - nasqueron/vault
+
+docker_networks:
+ notifications-int:
+ subnet: 172.21.6.0/24
+
+docker_containers:
+
+ rabbitmq:
+ orange-rabbit:
+ ip: *ipv4_dwellers_restricted
+ host: orange-rabbit.integration.nasqueron.org
+ app_port: 15672
+ network: notifications-int
+ credentials:
+ erlang_cookie: nasqueron/rabbitmq/orange-rabbit/erlang-cookie
+ root: nasqueron/rabbitmq/orange-rabbit/root
+
+ vault:
+ vault-notifications:
+ ip: *ipv4_dwellers_restricted
+ host: vault-notifications.integration.nasqueron.org
+ app_port: 48080
+ network: notifications-int
+
+ notifications:
+ notifications:
+ host: notifications.integration.nasqueron.org
+ app_port: 37080
+ network: notifications-int
+ broker: orange_rabbit
+ credentials:
+ broker: nasqueron/rabbitmq/orange-rabbit/notifications
+ sentry:
+ realm: nasqueron
+ project_id: 2
+ credential: nasqueron.notifications.sentry
+ environment: integration
diff --git a/roles/paas-docker/containers/files/vault/vault.hcl b/roles/paas-docker/containers/files/vault/vault.hcl
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/containers/files/vault/vault.hcl
@@ -0,0 +1,31 @@
+# -------------------------------------------------------------
+# Vault configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/paas-docker/containers/files/vault/vault.hcl
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+
+listener "tcp" {
+ address = "0.0.0.0:8200"
+
+ tls_cert_file = "/vault/config/certificates/fullchain.pem"
+ tls_key_file = "/vault/config/certificates/private.key"
+}
+
+storage "raft" {
+ path = "/vault/storage"
+ node_id = "{{ id }}"
+}
+
+disable_mlock = true
+
+ui = true
diff --git a/roles/paas-docker/containers/notifications.sls b/roles/paas-docker/containers/notifications.sls
--- a/roles/paas-docker/containers/notifications.sls
+++ b/roles/paas-docker/containers/notifications.sls
@@ -72,25 +72,39 @@
# Docker volume (/srv/notifications/storage)
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+{% if "network" in container %}
+{% set broker = container['broker'] %}
+{% else %}
+{% set broker = "mq" %}
+{% endif %}
+
{{ instance }}:
docker_container.running:
- detach: True
- interactive: True
- image: nasqueron/notifications
- binds: /srv/{{ instance }}/storage:/var/wwwroot/default/storage
+ {% if "network" in container %}
+ - networks:
+ - {{ container['network'] }}
+ {% else %}
- links:
- {{ container['broker_link'] }}:mq
+ {% endif %}
- environment:
- - BROKER_HOST: mq
+ - BROKER_HOST: {{ broker }}
- BROKER_USERNAME: {{ salt['credentials.get_username'](container['credentials']['broker']) }}
- BROKER_PASSWORD: {{ salt['credentials.get_password'](container['credentials']['broker']) }}
- BROKER_VHOST: dev
+ {% if "mailgun" in container["credentials"] %}
- MAILGUN_DOMAIN: {{ salt['credentials.get_username'](container['credentials']['mailgun']) }}
- MAILGUN_APIKEY: {{ salt['credentials.get_password'](container['credentials']['mailgun']) }}
+ {% endif %}
- SENTRY_DSN: {{ salt['credentials.get_sentry_dsn'](container["sentry"]) }}
- SENTRY_TRACES_SAMPLE_RATE: 1.0
+ - SENTRY_ENVIRONMENT: {{ container["sentry"].get("environment", "production") }}
- ports:
- 80
- port_bindings:
diff --git a/roles/paas-docker/containers/vault.sls b/roles/paas-docker/containers/vault.sls
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/containers/vault.sls
@@ -0,0 +1,76 @@
+# -------------------------------------------------------------
+# Salt — Provision Docker engine
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+{% set has_selinux = salt["grains.get"]("selinux:enabled", False) %}
+{% set containers = pillar["docker_containers"] %}
+
+{% for instance, container in containers["vault"].items() %}
+
+# -------------------------------------------------------------
+# Storage directory
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{% for dir in ["config", "config/certificates", "storage"] %}
+
+/srv/vault/{{ instance }}/{{ dir }}:
+ file.directory:
+ - user: 100
+ - group: 1000
+ - makedirs: True
+
+{% endfor %}
+
+/srv/vault/{{ instance }}/config/vault.hcl:
+ file.managed:
+ - source: salt://roles/paas-docker/containers/files/vault/vault.hcl
+ - mode: 644
+ - template: jinja
+ - context:
+ id: {{ instance }}
+
+{% if has_selinux %}
+selinux_context_vault_data_{{ instance }}:
+ selinux.fcontext_policy_present:
+ - name: /srv/vault/{{ instance }}
+ - sel_type: container_file_t
+
+selinux_context_vault_data_applied_{{ instance }}:
+ selinux.fcontext_policy_applied:
+ - name: /srv/vault/{{ instance }}
+ - recursive: True
+{% endif %}
+
+# -------------------------------------------------------------
+# Container
+#
+# Image: hashicorp/vault
+# Description: Vault
+# Services used: Docker volume
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ instance }}:
+ docker_container.running:
+ - detach: True
+ - interactive: True
+ - image: hashicorp/vault
+ - command: server
+ - cap_add:
+ - IPC_LOCK
+ - binds:
+ - /srv/vault/{{ instance }}/config:/vault/config
+ - /srv/vault/{{ instance }}/storage:/vault/storage
+ - networks:
+ - {{ container["network"] }}
+ - environment:
+ - VAULT_CLUSTER_INTERFACE: eth0
+ - VAULT_REDIRECT_INTERFACE: eth0
+ - ports:
+ - 8200
+ - port_bindings:
+ - {{ container["ip"] }}:{{ container["app_port"] }}:8200
+
+{% endfor %}
diff --git a/roles/paas-docker/nginx/files/vhosts/vault.conf b/roles/paas-docker/nginx/files/vhosts/vault.conf
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/nginx/files/vhosts/vault.conf
@@ -0,0 +1,43 @@
+# -------------------------------------------------------------
+# Configuration for Docker PaaS front-end nginx
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Service: vault
+# Source file: roles/paas-docker/nginx/files/vhosts/vault.conf
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name {{ fqdn }};
+
+ include includes/letsencrypt;
+
+ return 301 https://$host$request_uri;
+}
+
+server {
+ server_name {{ fqdn }};
+
+ include includes/tls;
+ ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
+ ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+
+ include includes/letsencrypt;
+
+ location / {
+ proxy_pass https://{{ args['ip'] }}:{{ app_port }};
+ include includes/proxy_params;
+ }
+
+ root /var/wwwroot-502/_default;
+ error_page 502 /502.html;
+ location /502.html {}
+
+}

File Metadata

Mime Type
text/plain
Expires
Sat, Nov 23, 05:07 (15 h, 48 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2256633
Default Alt Text
D2761.id7581.diff (9 KB)

Event Timeline