Replace Docker's `gcplogs` driver with the GCP COS logging agent (#977)
This commit is contained in:
parent
f3a000d32c
commit
5125a5ad03
|
@ -152,6 +152,7 @@ module "squid-vm" {
|
|||
service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
|
||||
metadata = {
|
||||
user-data = module.cos-squid.cloud_config
|
||||
google-logging-enabled = true
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -25,7 +25,6 @@ locals {
|
|||
Environment="HOME=/home/opsagent"
|
||||
ExecStartPre=/usr/bin/docker-credential-gcr configure-docker
|
||||
ExecStart=/usr/bin/docker run --rm --name=monitoring-agent \
|
||||
--log-driver=gcplogs \
|
||||
--network host \
|
||||
-v /etc/google-cloud-ops-agent/config.yaml:/etc/google-cloud-ops-agent/config.yaml \
|
||||
${var.ops_agent_image}
|
||||
|
@ -306,6 +305,7 @@ module "proxy-vm" {
|
|||
create_template = true
|
||||
metadata = {
|
||||
user-data = !var.tls ? module.cos-nginx.0.cloud_config : module.cos-nginx-tls.0.cloud_config
|
||||
google-logging-enabled = true
|
||||
}
|
||||
service_account = module.service-account-proxy.email
|
||||
service_account_create = false
|
||||
|
|
|
@ -21,8 +21,6 @@ These modules are designed for several use cases:
|
|||
|
||||
All modules are designed to be as lightweight as possible, so that specialized modules like [compute-vm](../compute-vm) can be leveraged to manage instances or instance templates, and to allow simple forking to create custom derivatives.
|
||||
|
||||
Modules use Docker's [Google Cloud Logging driver](https://docs.docker.com/config/containers/logging/gcplogs/) by default, so projects need to have the logging API enabled. If that's not desirable simply remove `--log-driver=gcplogs` from the relevant systemd unit in `cloud-config.yaml`.
|
||||
|
||||
To use the modules with instances or instance templates, simply set use their `cloud_config` output for the `user-data` metadata. When updating the metadata after a variable change remember to manually restart the instances that use a module's output, or the changes won't effect the running system.
|
||||
|
||||
For convenience when developing or prototyping infrastructure, an optional test instance is included in all modules. If it's not needed, the linked `*instance.tf` files can be removed from the modules without harm.
|
||||
|
|
|
@ -10,7 +10,7 @@ The resulting `cloud-config` can be customized in a number of ways:
|
|||
|
||||
The default instance configuration inserts iptables rules to allow traffic on the DNS TCP and UDP ports, and the 8080 port for the optional HTTP health check that can be enabled via the CoreDNS [health plugin](https://coredns.io/plugins/health/).
|
||||
|
||||
Logging and monitoring are enabled via the [Google Cloud Logging driver](https://docs.docker.com/config/containers/logging/gcplogs/) configured for the CoreDNS container, and the [Node Problem Detector](https://cloud.google.com/container-optimized-os/docs/how-to/monitoring) service is started by default on boot.
|
||||
Logging and monitoring are enabled via the [Google Cloud Logging agent](https://cloud.google.com/container-optimized-os/docs/how-to/logging) configured for the instance via the `google-logging-enabled` metadata property, and the [Node Problem Detector](https://cloud.google.com/container-optimized-os/docs/how-to/monitoring) service is started by default on boot.
|
||||
|
||||
The module renders the generated cloud config in the `cloud_config` output, to be used in instances or instance templates via the `user-data` metadata.
|
||||
|
||||
|
@ -28,10 +28,13 @@ module "cos-coredns" {
|
|||
}
|
||||
|
||||
# use it as metadata in a compute instance or template
|
||||
resource "google_compute_instance" "default" {
|
||||
module "vm-coredns" {
|
||||
source = "./fabric/modules/compute-vm"
|
||||
metadata = {
|
||||
user-data = module.cos-coredns.cloud_config
|
||||
google-logging-enabled = true
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Custom CoreDNS configuration
|
||||
|
@ -77,9 +80,8 @@ module "cos-coredns" {
|
|||
| [cloud_config](variables.tf#L17) | Cloud config template path. If null default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| [config_variables](variables.tf#L23) | Additional variables used to render the cloud-config and CoreDNS templates. | <code>map(any)</code> | | <code>{}</code> |
|
||||
| [coredns_config](variables.tf#L29) | CoreDNS configuration path, if null default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| [docker_logging](variables.tf#L35) | Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead. | <code>bool</code> | | <code>true</code> |
|
||||
| [file_defaults](variables.tf#L41) | Default owner and permissions for files. | <code title="object({ owner = string permissions = string })">object({…})</code> | | <code title="{ owner = "root" permissions = "0644" }">{…}</code> |
|
||||
| [files](variables.tf#L53) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map(object({ content = string owner = string permissions = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [file_defaults](variables.tf#L35) | Default owner and permissions for files. | <code title="object({ owner = string permissions = string })">object({…})</code> | | <code title="{ owner = "root" permissions = "0644" }">{…}</code> |
|
||||
| [files](variables.tf#L47) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map(object({ content = string owner = string permissions = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [test_instance](variables-instance.tf#L17) | Test/development instance attributes, leave null to skip creation. | <code title="object({ project_id = string zone = string name = string type = string network = string subnetwork = string })">object({…})</code> | | <code>null</code> |
|
||||
| [test_instance_defaults](variables-instance.tf#L30) | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | <code title="object({ disks = map(object({ read_only = bool size = number })) image = string metadata = map(string) nat = bool service_account_roles = list(string) tags = list(string) })">object({…})</code> | | <code title="{ disks = {} image = null metadata = {} nat = false service_account_roles = [ "roles/logging.logWriter", "roles/monitoring.metricWriter" ] tags = ["ssh"] }">{…}</code> |
|
||||
|
||||
|
|
|
@ -17,8 +17,6 @@
|
|||
# https://hub.docker.com/r/coredns/coredns/
|
||||
# https://coredns.io/manual/toc/#installation
|
||||
|
||||
# TODO: switch to the gcplogs logging driver, and set driver labels
|
||||
|
||||
write_files:
|
||||
- path: /var/lib/docker/daemon.json
|
||||
permissions: 0644
|
||||
|
@ -58,9 +56,6 @@ write_files:
|
|||
Wants=gcr-online.target docker.socket docker-events-collector.service
|
||||
[Service]
|
||||
ExecStart=/usr/bin/docker run --rm --name=coredns \
|
||||
%{~ if docker_logging ~}
|
||||
--log-driver=gcplogs \
|
||||
%{~ endif ~}
|
||||
--network host \
|
||||
-v /etc/coredns:/etc/coredns \
|
||||
coredns/coredns -conf /etc/coredns/Corefile
|
||||
|
|
|
@ -17,7 +17,6 @@
|
|||
locals {
|
||||
cloud_config = templatefile(local.template, merge(var.config_variables, {
|
||||
corefile = templatefile(local.corefile, var.config_variables)
|
||||
docker_logging = var.docker_logging
|
||||
files = local.files
|
||||
}))
|
||||
corefile = (
|
||||
|
|
|
@ -32,12 +32,6 @@ variable "coredns_config" {
|
|||
default = null
|
||||
}
|
||||
|
||||
variable "docker_logging" {
|
||||
description = "Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead."
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "file_defaults" {
|
||||
description = "Default owner and permissions for files."
|
||||
type = object({
|
||||
|
|
|
@ -2,8 +2,6 @@
|
|||
|
||||
This helper module manages a `cloud-config` configuration that can start a container on [Container Optimized OS](https://cloud.google.com/container-optimized-os/docs) (COS). Either a complete `cloud-config` template can be provided via the `cloud_config` variable with optional template variables via the `config_variables`, or a generic `cloud-config` can be generated based on typical parameters needed to start a container.
|
||||
|
||||
Logging can be enabled via the [Google Cloud Logging docker driver](https://docs.docker.com/config/containers/logging/gcplogs/) using the `gcp_logging` variable. This is enabled by default, but requires that the service account running the COS instance have the `roles/logging.logWriter` IAM role or equivalent permissions on the project. If it doesn't, the container will fail to start unless this is disabled.
|
||||
|
||||
The module renders the generated cloud config in the `cloud_config` output, which can be directly used in instances or instance templates via the `user-data` metadata attribute.
|
||||
|
||||
## Examples
|
||||
|
@ -64,7 +62,7 @@ module "cos-envoy" {
|
|||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [container_image](variables.tf#L42) | Container image. | <code>string</code> | ✓ | |
|
||||
| [authenticate_gcr](variables.tf#L124) | Setup docker to pull images from private GCR. Requires at least one user since the token is stored in the home of the first user defined. | <code>bool</code> | | <code>false</code> |
|
||||
| [authenticate_gcr](variables.tf#L112) | Setup docker to pull images from private GCR. Requires at least one user since the token is stored in the home of the first user defined. | <code>bool</code> | | <code>false</code> |
|
||||
| [boot_commands](variables.tf#L17) | List of cloud-init `bootcmd`s. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [cloud_config](variables.tf#L23) | Cloud config template path. If provided, takes precedence over all other arguments. | <code>string</code> | | <code>null</code> |
|
||||
| [config_variables](variables.tf#L29) | Additional variables used to render the template passed via `cloud_config`. | <code>map(any)</code> | | <code>{}</code> |
|
||||
|
@ -72,13 +70,11 @@ module "cos-envoy" {
|
|||
| [container_name](variables.tf#L47) | Name of the container to be run. | <code>string</code> | | <code>"container"</code> |
|
||||
| [container_volumes](variables.tf#L53) | List of volumes. | <code title="list(object({ host = string, container = string }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [docker_args](variables.tf#L62) | Extra arguments to be passed for docker. | <code>string</code> | | <code>null</code> |
|
||||
| [docker_logging](variables.tf#L68) | Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead. | <code>bool</code> | | <code>true</code> |
|
||||
| [file_defaults](variables.tf#L74) | Default owner and permissions for files. | <code title="object({ owner = string permissions = string })">object({…})</code> | | <code title="{ owner = "root" permissions = "0644" }">{…}</code> |
|
||||
| [files](variables.tf#L86) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map(object({ content = string owner = string permissions = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [gcp_logging](variables.tf#L96) | Should container logs be sent to Google Cloud Logging. | <code>bool</code> | | <code>true</code> |
|
||||
| [run_as_first_user](variables.tf#L118) | Run as the first user if users are specified. | <code>bool</code> | | <code>true</code> |
|
||||
| [run_commands](variables.tf#L102) | List of cloud-init `runcmd`s. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [users](variables.tf#L108) | List of usernames to be created. If provided, first user will be used to run the container. | <code title="list(object({ username = string, uid = number, }))">list(object({…}))</code> | | <code title="[ ]">[…]</code> |
|
||||
| [file_defaults](variables.tf#L68) | Default owner and permissions for files. | <code title="object({ owner = string permissions = string })">object({…})</code> | | <code title="{ owner = "root" permissions = "0644" }">{…}</code> |
|
||||
| [files](variables.tf#L80) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map(object({ content = string owner = string permissions = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [run_as_first_user](variables.tf#L106) | Run as the first user if users are specified. | <code>bool</code> | | <code>true</code> |
|
||||
| [run_commands](variables.tf#L90) | List of cloud-init `runcmd`s. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [users](variables.tf#L96) | List of usernames to be created. If provided, first user will be used to run the container. | <code title="list(object({ username = string, uid = number, }))">list(object({…}))</code> | | <code title="[ ]">[…]</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
@ -52,9 +52,6 @@ write_files:
|
|||
%{~ if length(users) > 0 && run_as_first_user ~}
|
||||
--user=${users[0].uid} \
|
||||
%{~ endif ~}
|
||||
%{~ if docker_logging ~}
|
||||
--log-driver=gcplogs \
|
||||
%{~ endif ~}
|
||||
%{~ if docker_args != null ~}
|
||||
${docker_args} \
|
||||
%{~ endif ~}
|
||||
|
|
|
@ -22,9 +22,7 @@ locals {
|
|||
container_name = var.container_name
|
||||
container_volumes = var.container_volumes
|
||||
docker_args = var.docker_args
|
||||
docker_logging = var.docker_logging
|
||||
files = local.files
|
||||
gcp_logging = var.gcp_logging
|
||||
run_commands = var.run_commands
|
||||
users = var.users
|
||||
authenticate_gcr = var.authenticate_gcr
|
||||
|
|
|
@ -65,12 +65,6 @@ variable "docker_args" {
|
|||
default = null
|
||||
}
|
||||
|
||||
variable "docker_logging" {
|
||||
description = "Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead."
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "file_defaults" {
|
||||
description = "Default owner and permissions for files."
|
||||
type = object({
|
||||
|
@ -93,12 +87,6 @@ variable "files" {
|
|||
default = {}
|
||||
}
|
||||
|
||||
variable "gcp_logging" {
|
||||
description = "Should container logs be sent to Google Cloud Logging."
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "run_commands" {
|
||||
description = "List of cloud-init `runcmd`s."
|
||||
type = list(string)
|
||||
|
|
|
@ -32,6 +32,7 @@ module "vm-cos" {
|
|||
|
||||
metadata = {
|
||||
user-data = module.cos-envoy-td.cloud_config
|
||||
google-logging-enabled = true
|
||||
}
|
||||
|
||||
boot_disk = {
|
||||
|
@ -49,7 +50,6 @@ module "vm-cos" {
|
|||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [docker_logging](variables.tf#L23) | Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead. | <code>bool</code> | | <code>true</code> |
|
||||
| [envoy_image](variables.tf#L17) | Envoy Proxy container image to use. | <code>string</code> | | <code>"envoyproxy/envoy:v1.15.5"</code> |
|
||||
|
||||
## Outputs
|
||||
|
|
|
@ -44,8 +44,6 @@ module "cos-envoy-td" {
|
|||
}
|
||||
}
|
||||
|
||||
gcp_logging = var.docker_logging
|
||||
|
||||
run_commands = [
|
||||
"iptables -t nat -N ENVOY_IN_REDIRECT",
|
||||
"iptables -t nat -A ENVOY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15001",
|
||||
|
|
|
@ -19,9 +19,3 @@ variable "envoy_image" {
|
|||
type = string
|
||||
default = "envoyproxy/envoy:v1.15.5"
|
||||
}
|
||||
|
||||
variable "docker_logging" {
|
||||
description = "Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead."
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
|
|
@ -12,7 +12,7 @@ The resulting `cloud-config` can be customized in a number of ways:
|
|||
|
||||
The default instance configuration inserts a sngle iptables rule to allow traffic on the default MySQL port.
|
||||
|
||||
Logging and monitoring are enabled via the [Google Cloud Logging driver](https://docs.docker.com/config/containers/logging/gcplogs/) configured for the CoreDNS container, and the [Node Problem Detector](https://cloud.google.com/container-optimized-os/docs/how-to/monitoring) service started by default on boot.
|
||||
Logging and monitoring are enabled via the [Google Cloud Logging agent](https://cloud.google.com/container-optimized-os/docs/how-to/logging) configured for the instance via the `google-logging-enabled` metadata property, and the [Node Problem Detector](https://cloud.google.com/container-optimized-os/docs/how-to/monitoring) service started by default on boot.
|
||||
|
||||
The module renders the generated cloud config in the `cloud_config` output, to be used in instances or instance templates via the `user-data` metadata.
|
||||
|
||||
|
@ -31,10 +31,13 @@ module "cos-mysql" {
|
|||
}
|
||||
|
||||
# use it as metadata in a compute instance or template
|
||||
resource "google_compute_instance" "default" {
|
||||
module "vm-mysql" {
|
||||
source = "./fabric/modules/compute-vm"
|
||||
metadata = {
|
||||
user-data = module.cos-mysql.cloud_config
|
||||
google-logging-enabled = true
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Custom MySQL configuration and KMS encrypted password
|
||||
|
@ -79,14 +82,13 @@ module "cos-mysql" {
|
|||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [mysql_password](variables.tf#L64) | MySQL root password. If an encrypted password is set, use the kms_config variable to specify KMS configuration. | <code>string</code> | ✓ | |
|
||||
| [mysql_password](variables.tf#L58) | MySQL root password. If an encrypted password is set, use the kms_config variable to specify KMS configuration. | <code>string</code> | ✓ | |
|
||||
| [cloud_config](variables.tf#L17) | Cloud config template path. If null default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| [config_variables](variables.tf#L23) | Additional variables used to render the cloud-config template. | <code>map(any)</code> | | <code>{}</code> |
|
||||
| [docker_logging](variables.tf#L29) | Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead. | <code>bool</code> | | <code>true</code> |
|
||||
| [image](variables.tf#L35) | MySQL container image. | <code>string</code> | | <code>"mysql:5.7"</code> |
|
||||
| [kms_config](variables.tf#L41) | Optional KMS configuration to decrypt passed-in password. Leave null if a plaintext password is used. | <code title="object({ project_id = string keyring = string location = string key = string })">object({…})</code> | | <code>null</code> |
|
||||
| [mysql_config](variables.tf#L52) | MySQL configuration file content, if null container default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| [mysql_data_disk](variables.tf#L58) | MySQL data disk name in /dev/disk/by-id/ including the google- prefix. If null the boot disk will be used for data. | <code>string</code> | | <code>null</code> |
|
||||
| [image](variables.tf#L29) | MySQL container image. | <code>string</code> | | <code>"mysql:5.7"</code> |
|
||||
| [kms_config](variables.tf#L35) | Optional KMS configuration to decrypt passed-in password. Leave null if a plaintext password is used. | <code title="object({ project_id = string keyring = string location = string key = string })">object({…})</code> | | <code>null</code> |
|
||||
| [mysql_config](variables.tf#L46) | MySQL configuration file content, if null container default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| [mysql_data_disk](variables.tf#L52) | MySQL data disk name in /dev/disk/by-id/ including the google- prefix. If null the boot disk will be used for data. | <code>string</code> | | <code>null</code> |
|
||||
| [test_instance](variables-instance.tf#L17) | Test/development instance attributes, leave null to skip creation. | <code title="object({ project_id = string zone = string name = string type = string network = string subnetwork = string })">object({…})</code> | | <code>null</code> |
|
||||
| [test_instance_defaults](variables-instance.tf#L30) | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | <code title="object({ disks = map(object({ read_only = bool size = number })) image = string metadata = map(string) nat = bool service_account_roles = list(string) tags = list(string) })">object({…})</code> | | <code title="{ disks = {} image = null metadata = {} nat = false service_account_roles = [ "roles/logging.logWriter", "roles/monitoring.metricWriter" ] tags = ["ssh"] }">{…}</code> |
|
||||
|
||||
|
|
|
@ -96,9 +96,6 @@ write_files:
|
|||
ExecStartPre=/bin/chown -R 2000 /run/mysql/secrets /run/mysql/data
|
||||
ExecStart=/usr/bin/docker run --rm --name=mysql \
|
||||
--user 2000:2000 \
|
||||
%{~ if docker_logging ~}
|
||||
--log-driver=gcplogs \
|
||||
%{~ endif ~}
|
||||
--network host \
|
||||
-e MYSQL_ROOT_PASSWORD_FILE=/etc/secrets/mysql-passwd.txt \
|
||||
-v /run/mysql/secrets:/etc/secrets \
|
||||
|
|
|
@ -16,7 +16,6 @@
|
|||
|
||||
locals {
|
||||
cloud_config = templatefile(local.template, merge(var.config_variables, {
|
||||
docker_logging = var.docker_logging
|
||||
image = var.image
|
||||
kms_config = var.kms_config
|
||||
mysql_config = var.mysql_config
|
||||
|
|
|
@ -26,12 +26,6 @@ variable "config_variables" {
|
|||
default = {}
|
||||
}
|
||||
|
||||
variable "docker_logging" {
|
||||
description = "Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead."
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "image" {
|
||||
description = "MySQL container image."
|
||||
type = string
|
||||
|
|
|
@ -32,6 +32,7 @@ module "vm-nginx-tls" {
|
|||
|
||||
metadata = {
|
||||
user-data = module.cos-nginx-tls.cloud_config
|
||||
google-logging-enabled = true
|
||||
}
|
||||
|
||||
boot_disk = {
|
||||
|
@ -49,12 +50,11 @@ module "vm-nginx-tls" {
|
|||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [docker_logging](variables.tf#L23) | Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead. | <code>bool</code> | | <code>true</code> |
|
||||
| [files](variables.tf#L41) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map(object({ content = string owner = string permissions = string }))">map(object({…}))</code> | | <code>null</code> |
|
||||
| [files](variables.tf#L35) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map(object({ content = string owner = string permissions = string }))">map(object({…}))</code> | | <code>null</code> |
|
||||
| [nginx_image](variables.tf#L17) | Nginx container image to use. | <code>string</code> | | <code>"nginx:1.23.1"</code> |
|
||||
| [runcmd_post](variables.tf#L35) | Extra commands to run after starting nginx. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [runcmd_pre](variables.tf#L29) | Extra commands to run before starting nginx. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [users](variables.tf#L51) | Additional list of usernames to be created. | <code title="list(object({ username = string, uid = number, }))">list(object({…}))</code> | | <code title="[ ]">[…]</code> |
|
||||
| [runcmd_post](variables.tf#L29) | Extra commands to run after starting nginx. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [runcmd_pre](variables.tf#L23) | Extra commands to run before starting nginx. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [users](variables.tf#L45) | Additional list of usernames to be created. | <code title="list(object({ username = string, uid = number, }))">list(object({…}))</code> | | <code title="[ ]">[…]</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
@ -59,8 +59,6 @@ module "cos-envoy-td" {
|
|||
|
||||
files = local.files
|
||||
|
||||
gcp_logging = var.docker_logging
|
||||
|
||||
run_commands = concat(var.runcmd_pre, [
|
||||
"iptables -I INPUT 1 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT",
|
||||
"iptables -I INPUT 1 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT",
|
||||
|
|
|
@ -20,12 +20,6 @@ variable "nginx_image" {
|
|||
default = "nginx:1.23.1"
|
||||
}
|
||||
|
||||
variable "docker_logging" {
|
||||
description = "Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead."
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "runcmd_pre" {
|
||||
description = "Extra commands to run before starting nginx."
|
||||
type = list(string)
|
||||
|
|
|
@ -10,7 +10,7 @@ The resulting `cloud-config` can be customized in a number of ways:
|
|||
|
||||
The default instance configuration inserts iptables rules to allow traffic on port 80.
|
||||
|
||||
Logging and monitoring are enabled via the [Google Cloud Logging driver](https://docs.docker.com/config/containers/logging/gcplogs/) configured for the CoreDNS container, and the [Node Problem Detector](https://cloud.google.com/container-optimized-os/docs/how-to/monitoring) service started by default on boot.
|
||||
Logging and monitoring are enabled via the [Google Cloud Logging agent](https://cloud.google.com/container-optimized-os/docs/how-to/logging) configured for the instance via the `google-logging-enabled` metadata property, and the [Node Problem Detector](https://cloud.google.com/container-optimized-os/docs/how-to/monitoring) service started by default on boot.
|
||||
|
||||
The module renders the generated cloud config in the `cloud_config` output, to be used in instances or instance templates via the `user-data` metadata.
|
||||
|
||||
|
@ -28,10 +28,13 @@ module "cos-nginx" {
|
|||
}
|
||||
|
||||
# use it as metadata in a compute instance or template
|
||||
resource "google_compute_instance" "default" {
|
||||
module "vm-nginx" {
|
||||
source = "./fabric/modules/compute-vm"
|
||||
metadata = {
|
||||
user-data = module.cos-nginx.cloud_config
|
||||
google-logging-enabled = true
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Nginx instance
|
||||
|
@ -59,16 +62,15 @@ module "cos-nginx" {
|
|||
|---|---|:---:|:---:|:---:|
|
||||
| [cloud_config](variables.tf#L17) | Cloud config template path. If null default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| [config_variables](variables.tf#L23) | Additional variables used to render the cloud-config and Nginx templates. | <code>map(any)</code> | | <code>{}</code> |
|
||||
| [docker_logging](variables.tf#L29) | Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead. | <code>bool</code> | | <code>true</code> |
|
||||
| [file_defaults](variables.tf#L47) | Default owner and permissions for files. | <code title="object({ owner = string permissions = string })">object({…})</code> | | <code title="{ owner = "root" permissions = "0644" }">{…}</code> |
|
||||
| [files](variables.tf#L59) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map(object({ content = string owner = string permissions = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [image](variables.tf#L35) | Nginx container image. | <code>string</code> | | <code>"nginxdemos/hello:plain-text"</code> |
|
||||
| [nginx_config](variables.tf#L41) | Nginx configuration path, if null container default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| [runcmd_post](variables.tf#L75) | Extra commands to run after starting nginx. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [runcmd_pre](variables.tf#L69) | Extra commands to run before starting nginx. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [file_defaults](variables.tf#L41) | Default owner and permissions for files. | <code title="object({ owner = string permissions = string })">object({…})</code> | | <code title="{ owner = "root" permissions = "0644" }">{…}</code> |
|
||||
| [files](variables.tf#L53) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map(object({ content = string owner = string permissions = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [image](variables.tf#L29) | Nginx container image. | <code>string</code> | | <code>"nginxdemos/hello:plain-text"</code> |
|
||||
| [nginx_config](variables.tf#L35) | Nginx configuration path, if null container default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| [runcmd_post](variables.tf#L69) | Extra commands to run after starting nginx. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [runcmd_pre](variables.tf#L63) | Extra commands to run before starting nginx. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [test_instance](variables-instance.tf#L17) | Test/development instance attributes, leave null to skip creation. | <code title="object({ project_id = string zone = string name = string type = string network = string subnetwork = string })">object({…})</code> | | <code>null</code> |
|
||||
| [test_instance_defaults](variables-instance.tf#L30) | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | <code title="object({ disks = map(object({ read_only = bool size = number })) image = string metadata = map(string) nat = bool service_account_roles = list(string) tags = list(string) })">object({…})</code> | | <code title="{ disks = {} image = null metadata = {} nat = false service_account_roles = [ "roles/logging.logWriter", "roles/monitoring.metricWriter" ] tags = ["ssh"] }">{…}</code> |
|
||||
| [users](variables.tf#L81) | List of additional usernames to be created. | <code title="list(object({ username = string, uid = number, }))">list(object({…}))</code> | | <code title="[ ]">[…]</code> |
|
||||
| [users](variables.tf#L75) | List of additional usernames to be created. | <code title="list(object({ username = string, uid = number, }))">list(object({…}))</code> | | <code title="[ ]">[…]</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
@ -59,9 +59,6 @@ write_files:
|
|||
Environment="HOME=/home/nginx"
|
||||
ExecStartPre=/usr/bin/docker-credential-gcr configure-docker
|
||||
ExecStart=/usr/bin/docker run --rm --name=nginx \
|
||||
%{~ if docker_logging ~}
|
||||
--log-driver=gcplogs \
|
||||
%{~ endif ~}
|
||||
--network host \
|
||||
%{~ if etc_mount ~}
|
||||
-v /etc/nginx/conf.d:/etc/nginx/conf.d \
|
||||
|
|
|
@ -16,7 +16,6 @@
|
|||
|
||||
locals {
|
||||
cloud_config = templatefile(local.template, merge(var.config_variables, {
|
||||
docker_logging = var.docker_logging
|
||||
etc_mount = (
|
||||
var.nginx_config != null || length([
|
||||
for name in keys(var.files) :
|
||||
|
|
|
@ -26,12 +26,6 @@ variable "config_variables" {
|
|||
default = {}
|
||||
}
|
||||
|
||||
variable "docker_logging" {
|
||||
description = "Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead."
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "image" {
|
||||
description = "Nginx container image."
|
||||
type = string
|
||||
|
|
|
@ -10,7 +10,7 @@ The resulting `cloud-config` can be customized in a number of ways:
|
|||
|
||||
The default instance configuration inserts iptables rules to allow traffic on TCP port 3128. With the default `squid.conf`, deny rules take precedence over allow rules.
|
||||
|
||||
Logging and monitoring are enabled via the [Google Cloud Logging driver](https://docs.docker.com/config/containers/logging/gcplogs/) configured for the Squid container, and the [Node Problem Detector](https://cloud.google.com/container-optimized-os/docs/how-to/monitoring) service started by default on boot.
|
||||
Logging and monitoring are enabled via the [Google Cloud Logging agent](https://cloud.google.com/container-optimized-os/docs/how-to/logging) configured for the instance via the `google-logging-enabled` metadata property, and the [Node Problem Detector](https://cloud.google.com/container-optimized-os/docs/how-to/monitoring) service started by default on boot.
|
||||
|
||||
The module renders the generated cloud config in the `cloud_config` output, to be used in instances or instance templates via the `user-data` metadata.
|
||||
|
||||
|
@ -30,10 +30,13 @@ module "cos-squid" {
|
|||
}
|
||||
|
||||
# use it as metadata in a compute instance or template
|
||||
resource "google_compute_instance" "default" {
|
||||
module "vm-squid" {
|
||||
source = "./fabric/modules/compute-vm"
|
||||
metadata = {
|
||||
user-data = module.cos-squid.cloud_config
|
||||
google-logging-enabled = true
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Test Squid instance
|
||||
|
@ -61,16 +64,15 @@ module "cos-squid" {
|
|||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [allow](variables.tf#L63) | List of domains Squid will allow connections to. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [clients](variables.tf#L75) | List of CIDR ranges from which Squid will allow connections. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [allow](variables.tf#L57) | List of domains Squid will allow connections to. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [clients](variables.tf#L69) | List of CIDR ranges from which Squid will allow connections. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [cloud_config](variables.tf#L17) | Cloud config template path. If null default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| [config_variables](variables.tf#L23) | Additional variables used to render the cloud-config and Squid templates. | <code>map(any)</code> | | <code>{}</code> |
|
||||
| [default_action](variables.tf#L81) | Default action for domains not matching neither the allow or deny lists. | <code>string</code> | | <code>"deny"</code> |
|
||||
| [deny](variables.tf#L69) | List of domains Squid will deny connections to. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [docker_logging](variables.tf#L29) | Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead. | <code>bool</code> | | <code>true</code> |
|
||||
| [file_defaults](variables.tf#L41) | Default owner and permissions for files. | <code title="object({ owner = string permissions = string })">object({…})</code> | | <code title="{ owner = "root" permissions = "0644" }">{…}</code> |
|
||||
| [files](variables.tf#L53) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map(object({ content = string owner = string permissions = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [squid_config](variables.tf#L35) | Squid configuration path, if null default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| [default_action](variables.tf#L75) | Default action for domains not matching neither the allow or deny lists. | <code>string</code> | | <code>"deny"</code> |
|
||||
| [deny](variables.tf#L63) | List of domains Squid will deny connections to. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [file_defaults](variables.tf#L35) | Default owner and permissions for files. | <code title="object({ owner = string permissions = string })">object({…})</code> | | <code title="{ owner = "root" permissions = "0644" }">{…}</code> |
|
||||
| [files](variables.tf#L47) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map(object({ content = string owner = string permissions = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [squid_config](variables.tf#L29) | Squid configuration path, if null default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| [test_instance](variables-instance.tf#L17) | Test/development instance attributes, leave null to skip creation. | <code title="object({ project_id = string zone = string name = string type = string network = string subnetwork = string })">object({…})</code> | | <code>null</code> |
|
||||
| [test_instance_defaults](variables-instance.tf#L30) | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | <code title="object({ disks = map(object({ read_only = bool size = number })) image = string metadata = map(string) nat = bool service_account_roles = list(string) tags = list(string) })">object({…})</code> | | <code title="{ disks = {} image = null metadata = {} nat = false service_account_roles = [ "roles/logging.logWriter", "roles/monitoring.metricWriter" ] tags = ["ssh"] }">{…}</code> |
|
||||
|
||||
|
|
|
@ -14,8 +14,6 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# TODO: switch to the gcplogs logging driver, and set driver labels
|
||||
|
||||
users:
|
||||
- name: squid
|
||||
uid: 2000
|
||||
|
@ -71,9 +69,6 @@ write_files:
|
|||
Environment="HOME=/home/squid"
|
||||
ExecStartPre=/usr/bin/docker-credential-gcr configure-docker
|
||||
ExecStart=/usr/bin/docker run --rm --name=squid \
|
||||
%{~ if docker_logging ~}
|
||||
--log-driver=gcplogs \
|
||||
%{~ endif ~}
|
||||
--network host \
|
||||
-v /etc/squid:/etc/squid \
|
||||
gcr.io/pso-cft-fabric/squid:0.10
|
||||
|
|
|
@ -16,7 +16,6 @@
|
|||
|
||||
locals {
|
||||
cloud_config = templatefile(local.template, merge(local.config_variables, {
|
||||
docker_logging = var.docker_logging
|
||||
squid_config = templatefile(local.squid_config, local.config_variables)
|
||||
files = local.files
|
||||
}))
|
||||
|
|
|
@ -26,12 +26,6 @@ variable "config_variables" {
|
|||
default = {}
|
||||
}
|
||||
|
||||
variable "docker_logging" {
|
||||
description = "Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead."
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "squid_config" {
|
||||
description = "Squid configuration path, if null default will be used."
|
||||
type = string
|
||||
|
|
|
@ -282,5 +282,3 @@ variable "zone" {
|
|||
description = "Compute zone."
|
||||
type = string
|
||||
}
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue