acornies/faas-nomad-x

View on GitHub
terraform/faas/faas.hcl

Summary

Maintainability
Test Coverage
job "faas" {

  datacenters = ["dc1"]

  type = "system"

  group "faas-svc" {

    task "faas-gateway" {
      driver = "docker"
      template {
        env = true
        destination  = "secrets/gateway.env"
        data = <<EOH
functions_provider_url="http://192.168.50.1:8081/"
faas_prometheus_host="{{ env "NOMAD_IP_http" }}"
faas_prometheus_port="9090"
{{ range service "nats" }}
faas_nats_address="{{ .Address }}"
faas_nats_port={{ .Port }}{{ end }}
read_timeout="5m5s" # Maximum time to read HTTP request
write_timeout="5m5s" # Maximum time to write HTTP response
upstream_timeout="5m" # Maximum duration of upstream function call - should be more than read_timeout and write_timeout
dnsrr="false" # Temporarily use dnsrr in place of VIP while issue persists on PWD
direct_functions="false" # Functions are invoked directly over the overlay network
direct_functions_suffix=""
basic_auth="true"
secret_mount_path="/secrets/"
scale_from_zero="false" # Enable if you want functions to scale from 0/0 to min replica count upon invoke
max_idle_conns="1024"
max_idle_conns_per_host="1024"
auth_proxy_url="http://{{ env "NOMAD_IP_http" }}:8083/validate"
auth_proxy_pass_body="false"
EOH
      }

      config {
        image = "openfaas/gateway:0.17.0"
        port_map {
          http = 8080
          metrics = 8082
        }
      }

      vault {
        policies = ["openfaas"]
      }
      // basic auth from vault example
      // update -enable_basic_auth=true
      // uncomment below if you have a Vault instance connected to Nomad
      template {
        destination   = "secrets/basic-auth-user"
        data = <<EOH
{{ with secret "secret/openfaas/auth/credentials" }}{{ .Data.username }}{{ end }}
EOH
      }
      template {
        destination   = "secrets/basic-auth-password"
        data = <<EOH
{{ with secret "secret/openfaas/auth/credentials" }}{{ .Data.password }}{{ end }}
EOH
      }

      resources {
        network {
          port "http" {
            static = 8080
          }
          port "metrics" {
            static = 8082
          }
        }
      }

      service {
        port = "http"
        name = "gateway"
        tags = ["faas"]
      }

      service {
        port = "metrics"
        name = "faas-metrics"
        tags = ["faas"]
      }
    }

    task "basic-auth-plugin" {
      driver = "docker"
      template {
        env = true
        destination   = "secrets/gateway.env"

        data = <<EOH
secret_mount_path="/secrets/"
user_filename="basic-auth-user"
pass_filename="basic-auth-password"
EOH
      }

      config {
        image = "openfaas/basic-auth-plugin:0.17.0"
        port_map {
          http = 8080
        }
      }

      vault {
        policies = ["openfaas"]
      }
      // basic auth from vault example
      // update -enable_basic_auth=true
      // uncomment below if you have a Vault instance connected to Nomad
      template {
        destination   = "secrets/basic-auth-user"
        data = <<EOH
{{ with secret "secret/openfaas/auth/credentials" }}{{ .Data.username }}{{ end }}
EOH
      }
      template {
        destination   = "secrets/basic-auth-password"
        data = <<EOH
{{ with secret "secret/openfaas/auth/credentials" }}{{ .Data.password }}{{ end }}
EOH
      }

      resources {
        memory = 50
        network {
          port "http" {
            static = 8083
          }
        }
      }
    }

    task "statsd" {
      driver = "docker"

      config {
        image = "prom/statsd-exporter:v0.12.2"

        args = [
          "--log.level=debug",
        ]
      }

      resources {
        network {

          port "http" {
            static = 9102
          }

          port "statsd" {
            static = 9125
          }
        }
      }

      service {
        port = "http"
        name = "statsd"
        tags = ["faas"]

        check {
          type     = "http"
          port     = "http"
          interval = "10s"
          timeout  = "2s"
          path     = "/"
        }
      }
    }
  }

  group "faas-nats" {

    task "nats" {
      driver = "docker"
      
      config {
        image = "nats-streaming:0.11.2"

        args = [
          "-store", "file", "-dir", "/tmp/nats",
          "-m", "8222",
          "-cid","faas-cluster",
        ]

        port_map {
          client = 4222,
          monitoring = 8222
          routing = 6222
        }
      }

      resources {
        memory = 100
        network {
          port "client" {
            static = 4222
          }

          port "monitoring" {
            static = 8222
          }

          port "routing" {
            static = 6222
          }
        }
      }

      service {
        port = "client"
        name = "nats"
        tags = ["faas"]

        check {
           type     = "http"
           port     = "monitoring"
           path     = "/connz"
           interval = "5s"
           timeout  = "2s"
        }
      }
    }
  }

  group "faas-monitoring" {

    task "prometheus" {
      driver = "docker"
      
      config {
        image = "prom/prometheus:v2.7.1"

        args = [
          "--config.file=/local/prometheus.yml"
        ]

        port_map {
          http = 9090
        }
      }

      artifact {
              source      = "https://raw.githubusercontent.com/acornies/THUG-aug27-2019/master/contrib/prometheus/prometheus.yml"
              destination = "local/prometheus.yml.tpl"
                mode        = "file"
            }

      template {
        source        = "local/prometheus.yml.tpl"
        destination   = "local/prometheus.yml"
        change_mode   = "noop"
      }
            
            artifact {
              source      = "https://raw.githubusercontent.com/acornies/THUG-aug27-2019/master/contrib/prometheus/alert.rules.yml"
              destination = "local/alert.rules.yml"
                mode        = "file"
            }

      resources {
        network {
          port "http" {
            static = 9090
          }
        }
      }

      service {
        port = "http"
        name = "prometheus"
        tags = ["faas"]

        check {
          type     = "http"
          port     = "http"
          interval = "10s"
          timeout  = "2s"
          path     = "/graph"
        }
      }
    }

    task "alertmanager" {
      driver = "docker"

            artifact {
              source      = "https://raw.githubusercontent.com/acornies/THUG-aug27-2019/master/contrib/prometheus/alertmanager.yml"
              destination = "local/alertmanager.yml.tpl"
                mode        = "file"
            }

      template {
        source        = "local/alertmanager.yml.tpl"
        destination   = "local/alertmanager.yml"
        change_mode   = "noop"
      }

      config {
        image = "prom/alertmanager:v0.16.1"

        port_map {
          http = 9093
        }

        args = [
          "--config.file=/local/alertmanager.yml"
        ]
      }

      vault {
        policies = ["default", "openfaas"]
      }
      // basic auth from vault example
      // update -enable_basic_auth=true
      // uncomment below if you have a Vault instance connected to Nomad
      template {
        destination   = "secrets/basic-auth-user"
        data = <<EOH
{{ with secret "secret/openfaas/auth/credentials" }}{{ .Data.username }}{{ end }}
EOH
      }
      template {
        destination   = "secrets/basic-auth-password"
        data = <<EOH
{{ with secret "secret/openfaas/auth/credentials" }}{{ .Data.password }}{{ end }}
EOH
      }

      resources {
        network {
          port "http" {
            static = 9093
          }
        }
      }

      service {
        port = "http"
        name = "alertmanager"
        tags = ["faas"]
      }
    }
  }
}