nomad

HCL and Docker files for Nomad deployments
git clone https://git.in0rdr.ch/nomad.git
Log | Files | Refs | Pull requests |Archive

commit 430611153f69123dadb8cc409aef1eb62260cb5a
parent caa51c4ff4186d4c7185cf359b922894dedb8b65
Author: Andreas Gruhler <andreas.gruhler@adfinis.com>
Date:   Sat, 27 Jul 2024 19:45:08 +0200

feat(snapshot): bao raft backup

Diffstat:
Mhcl/infra/snapshots/README | 15++++++++++++++-
Mhcl/infra/snapshots/nomad-snapshots.nomad | 18++++++++++++++++--
Mhcl/infra/snapshots/templates/snapshot.sh.tmpl | 4++++
Ahcl/infra/snapshots/vault-jwt-snapshot.json | 20++++++++++++++++++++
4 files changed, 54 insertions(+), 3 deletions(-)

diff --git a/hcl/infra/snapshots/README b/hcl/infra/snapshots/README @@ -1,7 +1,7 @@ NOMAD SNAPSHOTS --------------- -Run periodic Raft state snapshots for Nomad and store snapshots on NFS. +Run periodic Raft state snapshots for Nomad or bao. Store snapshots on NFS. This creates a parameterized job: - https://www.nomadproject.io/docs/job-specification/parameterized @@ -12,9 +12,22 @@ nomad run nomad-snapshots.nomad The jobs can be dispatched to take snapshots of Nomad state: - nomad job dispatch -meta service=nomad snapshot - nomad job dispatch -meta service=nomad-var snapshot +- nomad job dispatch -meta service=bao snapshot The service meta parameter is required. +NOMAD WORKLOAD IDENTITY +----------------------- + +To login at bao, prepare the JWT role first: + + bao write auth/jwt-nomad/role/snapshot @vault-jwt-snapshot.json + +The bound claims require the job running with/in: +- Nomad Job ID: "snapshot/dispatch-*" +- Nomad namespace: "infra" +- Nomad task: "snapshot-save" + EXEC DRIVER ----------- diff --git a/hcl/infra/snapshots/nomad-snapshots.nomad b/hcl/infra/snapshots/nomad-snapshots.nomad @@ -2,6 +2,12 @@ job "snapshot" { datacenters = ["dc1"] type = "batch" + vault { + role = "snapshot" + # export VAULT_TOKEN for use in snapshot.sh script + env = true + } + parameterized { payload = "forbidden" meta_required = ["service"] @@ -33,6 +39,14 @@ job "snapshot" { task "snapshot-save" { driver = "exec" + env { + NOMAD_ADDR = "https://127.0.0.1:4646" + # only save variables from default namespace + NOMAD_NAMESPACE = "default" + NOMAD_SKIP_VERIFY = 1 + VAULT_SKIP_VERIFY = 1 + } + template { destination = "${NOMAD_TASK_DIR}/snapshot.sh" data = file("./templates/snapshot.sh.tmpl") @@ -52,8 +66,8 @@ job "snapshot" { } resources { - memory = 16 - cpu = 100 + memory = 128 + cpu = 200 } } } diff --git a/hcl/infra/snapshots/templates/snapshot.sh.tmpl b/hcl/infra/snapshots/templates/snapshot.sh.tmpl @@ -21,6 +21,10 @@ case "$1" in nomad var get -out json $v >> nomad-var-{{ timestamp "20060102" }}-{{ timestamp "unix" }}.dump done ;; + bao) + # use VAULT_TOKEN from nomad workload identity + bao operator raft snapshot save bao-raft-{{ timestamp "20060102" }}-{{ timestamp "unix" }}.snap + ;; *) echo "Usage: $0 nomad" ;; diff --git a/hcl/infra/snapshots/vault-jwt-snapshot.json b/hcl/infra/snapshots/vault-jwt-snapshot.json @@ -0,0 +1,20 @@ +{ + "role_type": "jwt", + "bound_audiences": ["vault.in0rdr.ch"], + "bound_claims_type": "glob", + "bound_claims": { + "nomad_job_id": "snapshot/dispatch-*", + "nomad_namespace": "infra", + "nomad_task": "snapshot-save" + }, + "user_claim": "nomad_job_id", + "claim_mappings": { + "nomad_namespace": "nomad_namespace", + "nomad_job_id": "nomad_job_id", + "nomad_task": "nomad_task" + }, + "token_type": "service", + "token_policies": ["snapshot"], + "token_period": "10m", + "token_explicit_max_ttl": 0 +}