Skip to content

Commit

Permalink
no longer allow http-only services
Browse files Browse the repository at this point in the history
  • Loading branch information
traceypooh committed Jan 15, 2025
1 parent e91efe6 commit d003c24
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 26 deletions.
29 changes: 9 additions & 20 deletions project.nomad
Original file line number Diff line number Diff line change
Expand Up @@ -92,16 +92,12 @@ variable "PORTS" {
# Don't worry -- we'll use the abs() of it;
# negative numbers makes them easily identifiable and partition-able below ;-)
#
# Note: if you want an extra port to only use HTTP and not HTTPS, add 10000 to your desired
# port number (so for 18989, the public url will be http://... mapped internally to :8989 ).
#
# Examples:
# NOMAD_VAR_PORTS='{ 5000 = "http" }'
# NOMAD_VAR_PORTS='{ -1 = "http" }'
# NOMAD_VAR_PORTS='{ 5000 = "http", 666 = "cool-ness" }'
# NOMAD_VAR_PORTS='{ 8888 = "http", 8012 = "backend", 7777 = "extra-service" }'
# NOMAD_VAR_PORTS='{ 5000 = "http", -7777 = "irc" }'
# NOMAD_VAR_PORTS='{ 5000 = "http", 18989 = "db" }'
type = map(string)
default = { 5000 = "http" }
}
Expand Down Expand Up @@ -131,19 +127,18 @@ variable "NOMAD_SECRETS" {
locals {
# Ignore all this. really :)

# Copy hashmap, but remove map key/val for the main/default port (defaults to 5000).
# Then split hashmap in two: one for HTTP port mappings; one for TCP (only; rare) port mappings.
ports_main = {for k, v in var.PORTS: k => v if v == "http"}
ports_extra_tmp = {for k, v in var.PORTS: k => v if v != "http"}
ports_extra_tmp2 = {for k, v in local.ports_extra_tmp: k => v if k > -2}
ports_extra_https = {for k, v in local.ports_extra_tmp2: k => v if k < 10000}
ports_extra_http = {for k, v in local.ports_extra_tmp: abs(k - 10000) => v if k > 10000}
ports_extra_tcp = {for k, v in local.ports_extra_tmp: abs(k) => v if k < -1}
# Split the ports hashmap into three hashmaps:
# - just the key/val for the main/default port (defaults to 5000)
# - extra HTTPS port mappings
# - TCP (only; rare) port mappings
ports_main = {for k, v in var.PORTS: k => v if v == "http"}
ports_extra_https = {for k, v in var.PORTS: k => v if v != "http" && k > -2}
ports_extra_tcp = {for k, v in var.PORTS: abs(k) => v if v != "http" && k < -1}
# 1st docker container configures all ports *unless* MULTI_CONTAINER is true, then just main port
ports_docker = values(var.MULTI_CONTAINER ? local.ports_main : var.PORTS)

# Now create a hashmap of *all* ports to be used, but abs() any portnumber key < -1
ports_all = merge(local.ports_main, local.ports_extra_https, local.ports_extra_http, local.ports_extra_tcp, {})
ports_all = merge(local.ports_main, local.ports_extra_https, local.ports_extra_tcp, {})

# Use CI_GITHUB_IMAGE if set, otherwise use GitLab vars interpolated string
docker_image = var.CI_GITHUB_IMAGE != "" ? var.CI_GITHUB_IMAGE : "${var.CI_REGISTRY_IMAGE}/${var.CI_COMMIT_REF_SLUG}:${var.CI_COMMIT_SHA}"
Expand Down Expand Up @@ -187,9 +182,6 @@ locals {
# then make its hostname be `card-backend.example.com`
"urlprefix-${local.host0}-${portname}.${local.host0domain}"
]},
{for portnum, portname in local.ports_extra_http: portname => [
"urlprefix-${local.host0}-${portname}.${local.host0domain} proto=http"
]},
{for portnum, portname in local.ports_extra_tcp: portname => [
"urlprefix-:${portnum} proto=tcp"
]},
Expand All @@ -199,9 +191,6 @@ locals {
# then make its hostname be `card-backend.example.com`
local.legacy ? "https://${var.HOSTNAMES[0]}:${portnum}" : "https://${local.host0}-${portname}.${local.host0domain}" // xxx
]},
{for portnum, portname in local.ports_extra_http: portname => [
"http://${local.host0}-${portname}.${local.host0domain}"
]},
{for portnum, portname in local.ports_extra_tcp: portname => []},
)
}
Expand Down Expand Up @@ -292,7 +281,7 @@ job "NOMAD_VAR_SLUG" {
}

dynamic "service" {
for_each = merge(local.ports_extra_https, local.ports_extra_http, local.ports_extra_tcp)
for_each = merge(local.ports_extra_https, local.ports_extra_tcp)
content {
# service.key == portnumber
# service.value == portname
Expand Down
12 changes: 6 additions & 6 deletions test/test.sh
Original file line number Diff line number Diff line change
Expand Up @@ -230,33 +230,33 @@ function prodtest() {
slug www-offshoot
)
(
banner GL repo using one HTTP-only port and 2+ ports/names, to dev
banner GL repo using one TCP-only port and 2+ ports/names, to dev
BASE_DOMAIN=dev.archive.org
CI_PROJECT_NAME=lcp
CI_COMMIT_REF_SLUG=main
CI_PROJECT_PATH_SLUG=services-$CI_PROJECT_NAME
NOMAD_VAR_PORTS='{ 9999 = "http" , 18989 = "lcp", 8990 = "lsd" }'
NOMAD_VAR_PORTS='{ 9999 = "http" , -8989 = "lcp", 8990 = "lsd" }'
expects 'nomad cluster https://dev.archive.org' \
'deploying to https://services-lcp.dev.archive.org'
# NOTE: subtle -- with multiple ports (one thus one service per port), we expect 3 services
# eacho with its own hostname
tags '[["https://services-lcp.dev.archive.org"],["http://services-lcp-lcp.dev.archive.org"],["https://services-lcp-lsd.dev.archive.org"]]'
tags '[["https://services-lcp.dev.archive.org"],[],["https://services-lcp-lsd.dev.archive.org"]]'
ctags '[["https://canary-services-lcp.dev.archive.org"]]'
)
(
banner GL repo using one HTTP-only port and 2+ ports/names, to prod
banner GL repo using one TCP-only port and 2+ ports/names, to prod
BASE_DOMAIN=dev.archive.org
CI_PROJECT_NAME=lcp
CI_COMMIT_REF_SLUG=production
CI_PROJECT_PATH_SLUG=services-$CI_PROJECT_NAME
NOMAD_VAR_PORTS='{ 9999 = "http" , 18989 = "lcp", 8990 = "lsd" }'
NOMAD_VAR_PORTS='{ 9999 = "http" , -8989 = "lcp", 8990 = "lsd" }'
NOMAD_TOKEN_PROD=test
expects 'nomad cluster https://prod.archive.org' \
'deploying to https://lcp.prod.archive.org' \
'using nomad production token'
# NOTE: subtle -- with multiple ports (one thus one service per port), we expect 3 services
# eacho with its own hostname
tags '[["urlprefix-lcp.prod.archive.org"],["urlprefix-lcp-lcp.prod.archive.org proto=http"],["urlprefix-lcp-lsd.prod.archive.org"]]'
tags '[["urlprefix-lcp.prod.archive.org"],["urlprefix-:8989 proto=tcp"],["urlprefix-lcp-lsd.prod.archive.org"]]'
ctags '[["https://canary-lcp.prod.archive.org"]]'
)
(
Expand Down

0 comments on commit d003c24

Please sign in to comment.