Skip to content

Latest commit

 

History

History

example

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
example1
example1
 
 
example2
example2
 
 
example3
example3
 
 
example4
example4
 
 
infra
infra
 
 
notation
notation
 
 
opaserver
opaserver
 
 
otel
otel
 
 
readme.md
readme.md
 
 

readme.md

Examples

See setup to setup the require infrastructure.

Validation

Cost Center

This example demonstrates a validator that checks wether a job contains meta data information a cost center code and if the code starts with cccode-

cost center mutator.

nacp -config example1.conf.hcl
NOMAD_ADDR=http://localhost:6464 nomad run example1.nomad
example1.mov

Image Validation via Notation

See redme in notation/ folder.

Mutator

Simple Hello World

This example demonstrates a simple mutator that adds a hello key to the job meta data with the value world.

simple hello world mutator

nacp -config example2.conf.hcl
NOMAD_ADDR=http://localhost:6464 nomad run example2.nomad
example2.mov

Postgres Env Template Injection

In this example the mutator checks weather a task of a job contains a postgres metadata field. If so, the mutator injects a template block and a vault policy into the task that renders the postgres connection details.

If the postgres metadata equals native it creates a template that renders the environment variables PGHOST, PGPORT, PGUSER, PGPASSWORD and PGDATABASE.

If the postgres metadata equals springboot it creates a template that renders the environment variables SPRING_DATASOURCE_URL, SPRING_DATASOURCE_USERNAME and SPRING_DATASOURCE_PASSWORD.

postgres env template mutator

nacp -config example3.conf.hcl
NOMAD_ADDR=http://localhost:6464 nomad run example3.nomad
example3.mov

OAuth2 Proxy Injection

This example deploys a that contains a simple webapp.

If the metadata field of a task group contains secure with the name of the service ( e.g. webapp ) that needs to be secured, the mutator injects a the oauth2-proxy into the task group and rewrites the service name so incoming request will point to the proxy.

nacp -config example3.conf.hcl
terraform init && terraform apply -auto-approve
NOMAD_ADDR=http://localhost:6464 nomad run example4.nomad

oauth2-proxy mutator

example4.mov

Infrastructure Setup

Run Vault

cd infra/vault
vault server -dev -dev-root-token-id=root -dev-listen-address=0.0.0.0:8200
cd infra/nomad
sudo nomad agent -dev -bind=0.0.0.0 -network-interface=en0 -config=conf

Deploy some infrastructure (keycloak, postgres, treafik)

cd infra/nomad/jobs
terraform init && terraform apply -auto-approve

Configure Postgres Database Engine Vault

cd infra/vault
terraform init && terraform apply -auto-approve

These example assume that every nomad job that comes with a service is accessible via <service_name>.nomad.local Use consul catalog to update /etc/hosts

cd infra/etchosts
./run.sh

(If you trust my script that requires sudo and writes to /etc/hosts ;) )

Notes

The examples are not meant to be used in production. They are just meant to demonstrate the capabilities of nacp and opa.