job-config.yaml

# vim: set softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent smartindent syntax=yaml:

datacenter: nbg1
domain: rbjorklin.com

logging_enabled: false
logging_config: |
  logging {
    type = "gelf"
    config {
      gelf-address = "udp://graylog.rbjorklin.com:12201"
      labels = "testXlabel"
    }
  }

haproxy_bootstrap_conf: |
  global
    log         stdout daemon
    maxconn     4000

    # utilize system-wide crypto-policies
    #ssl-default-bind-ciphers PROFILE=SYSTEM
    #ssl-default-server-ciphers PROFILE=SYSTEM
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets

    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets

  defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

  frontend https
    mode tcp
    bind *:443 #ssl crt /local/freeipa.crt
    {{- $requiredHttpsTags := parseJSON "[\"https\",\"expose\"]" }}
    {{- range services }}
    {{- if .Tags | containsAll $requiredHttpsTags }}
    use_backend {{ .Name }}_https if { hdr_beg(Host) -i {{ .Name }} }
    {{- end }}
    {{- end }}
    #default_backend     nomatch_http

  frontend http
    bind *:80
    monitor-uri /haproxy/status
    # Don't expose stats outside of demo purposes...
    stats enable
    stats show-node
    stats show-desc Allocation ID: {{ env "NOMAD_ALLOC_ID" }}
    stats uri /haproxy/stats
    stats auth {{ env "STATS_USER" }}:{{ env "STATS_PASSWD" }}
    http-request use-service prometheus-exporter if { path /haproxy/metrics }

    use_backend consul_ui_http if { hdr_beg(Host) -i consul-ui }

    {{- $hostHeaderBegin := "" }}
    {{- $requiredHttpTags := parseJSON "[\"http\", \"consul-connect\"]" }}
    {{- range services }}
    {{- if .Tags | containsAll $requiredHttpTags }}
      {{- range $tag := .Tags }}
        {{- if $tag | regexMatch "^hostHeaderBegin=.*$" }}
          {{- $hostHeaderBegin = (index ($tag | split "=") 1) }}
        {{- end }}
      {{- end }}
    use_backend {{ .Name | replaceAll "-" "_" }}_http if { hdr_beg(Host) -i {{ $hostHeaderBegin }} }
    {{- end }}
    {{- end }}

    default_backend     envoy_proxy_http

  {{- $method := "" }}
  {{- $path := "" }}
  {{- range services }}
  {{- if .Tags | containsAll $requiredHttpTags }}
  backend {{ .Name | replaceAll "-" "_" }}_http
    {{- if .Tags | contains "sticky" }}
    balance url_param session check_post
    hash-type consistent
    hash-balance-factor 150
    {{- end }}
  {{- if .Tags | contains "healthMode=http" }}
    {{- range $tag := .Tags }}
      {{- if $tag | regexMatch "^healthMethod=.*$" }}
        {{- $method = (index ($tag | split "=") 1) }}
      {{- end }}
      {{- if $tag | regexMatch "^healthPath=.*$" }}
        {{- $path = (index ($tag | split "=") 1) }}
      {{- end }}
    {{- end }}
    option httpchk {{ $method }} {{ $path }}
  {{- end }}
  {{- range service .Name }}
    server  {{ .Node }} ${NOMAD_UPSTREAM_ADDR_{{ .Name | replaceAll "-sidecar-proxy" "" }}} check inter 5000
  {{- end }}
  {{- end }}
  {{- end }}

  {{- $requiredTcpTags := parseJSON "[\"tcp\",\"expose\"]" }}
  {{- range services }}
  {{- if .Tags | containsAll $requiredTcpTags }}
  backend {{ .Name }}_tcp
    mode tcp
  {{- if .Tags | contains "sticky" }}
    balance source
  {{- end }}
    {{- range service .Name }}
    server  {{ .Node }} {{ .Address }}:{{ .Port }} check inter 5000
    {{- end }}
  {{- end }}
  {{- end }}

  backend nomatch_http
    mode http
    http-request deny deny_status 400

  backend consul_ui_http
    server  localhost 127.0.0.1:8500 check inter 5000

  backend envoy_proxy_http
    server  localhost 127.0.0.1:19000 check