ops/sso/kube/sso.libsonnet - hscloud - Gitiles

 #    kubectl create secret generic sso --from-literal=secret_key=$(pwgen 24 1) --from-literal=ldap_bind_password=...

 local kube = import "../../../kube/hscloud.libsonnet";

 {
     local top = self,
     local cfg = top.cfg,

     cfg:: {
         namespace: "sso",
         image: "registry.k0.hswaw.net/informatic/sso-v2@sha256:1118effa697489028c3cd5a6786d3f94f16dbbe2810b1bf1b0f65ea15bac1914",
         domain: error "domain must be set",
         database: {
             host: error "database.host must be set",
             name: error "database.name must be set",
             username: error "database.username must be set",
             port: 26257,
             tlsSecret: error "database.tlsSecret must be set",
         },
     },

     secretRefs:: {
         ldap_bind_password: { secretKeyRef: { name: "sso", key: "ldap_bind_password" } },
         secret_key: { secretKeyRef: { name: "sso", key: "secret_key" } },
     },

     local ns = kube.Namespace(top.cfg.namespace),

     deployment: ns.Contain(kube.Deployment("sso")) {
         spec+: {
             replicas: 1,
             template+: {
                 spec+: {
                     volumes_: {
                         crdb: {
                             secret: {
                                 secretName: cfg.database.tlsSecret,
                                 defaultMode: std.parseOctal("0600"),
                             },
                         },
                         jwk: { secret: { secretName: "sso-jwk" } },
                         tlscopy: kube.EmptyDirVolume(),  # see initContainers_.secretCopy
                     },
                     securityContext: {
                         runAsUser: 100,
                         runAsGroup: 101,
                         fsGroup: 101,
                     },
                     initContainers_: {
                         # psycopg2 / libpq wants its TLS secret keys to be only
                         # readable by running process. As k8s exposes
                         # secrets/configmaps as symlinks, libpq gets confused
                         # and refuses to start, unless we dereference these into
                         # a local copy with proper permissions.
                         secretCopy: kube.Container("secret-copy") {
                             image: cfg.image,
                             command: ["sh", "-c", "cp -fv /tls-orig/* /tls && chmod 0400 /tls/*"],
                             volumeMounts_: {
                                 crdb: { mountPath: "/tls-orig" },
                                 tlscopy: { mountPath: "/tls" },
                             },
                         },
                     },
                     containers_: {
                         web: kube.Container("sso") {
                             image: cfg.image,
                             ports_: {
                                 http: { containerPort: 5000 },
                             },
                             env_: {
                                 DATABASE_URI: "cockroachdb://%s@%s:%d/%s?sslmode=require&sslrootcert=%s&sslcert=%s&sslkey=%s" % [
                                     cfg.database.username,
                                     cfg.database.host,
                                     cfg.database.port,
                                     cfg.database.name,
                                     "/tls/ca.crt",
                                     "/tls/tls.crt",
                                     "/tls/tls.key",
                                 ],

                                 LDAP_BIND_PASSWORD: top.secretRefs.ldap_bind_password,
                                 SECRET_KEY: top.secretRefs.secret_key,
                                 LOGGING_LEVEL: "INFO",

                                 JWT_ALG: "RS256",
                                 JWT_EXP: "600",

                                 JWT_PUBLIC_KEYS: "/jwk/public.pem",
                                 JWT_PRIVATE_KEY: "/jwk/private.pem",
                             },
                             volumeMounts_: {
                                 tlscopy: { mountPath: "/tls" },
                                 jwk: { mountPath: "/jwk" },
                             },
                         },
                     },
                 },
             },
         },
     },

     svc: ns.Contain(kube.Service("sso")) {
         target:: top.deployment,
         spec+: {
             ports: [
                 { name: "http", port: 5000, targetPort: 5000, protocol: "TCP" },
             ],
             type: "ClusterIP",
         },
     },

     ingress: ns.Contain(kube.SimpleIngress("sso")) {
         hosts:: [cfg.domain],
         target_service:: top.svc,
     },
 }
	# kubectl create secret generic sso --from-literal=secret_key=$(pwgen 24 1) --from-literal=ldap_bind_password=...

	local kube = import "../../../kube/hscloud.libsonnet";

	{
	local top = self,
	local cfg = top.cfg,

	cfg:: {
	namespace: "sso",
	image: "registry.k0.hswaw.net/informatic/sso-v2@sha256:1118effa697489028c3cd5a6786d3f94f16dbbe2810b1bf1b0f65ea15bac1914",
	domain: error "domain must be set",
	database: {
	host: error "database.host must be set",
	name: error "database.name must be set",
	username: error "database.username must be set",
	port: 26257,
	tlsSecret: error "database.tlsSecret must be set",
	},
	},

	secretRefs:: {
	ldap_bind_password: { secretKeyRef: { name: "sso", key: "ldap_bind_password" } },
	secret_key: { secretKeyRef: { name: "sso", key: "secret_key" } },
	},

	local ns = kube.Namespace(top.cfg.namespace),

	deployment: ns.Contain(kube.Deployment("sso")) {
	spec+: {
	replicas: 1,
	template+: {
	spec+: {
	volumes_: {
	crdb: {
	secret: {
	secretName: cfg.database.tlsSecret,
	defaultMode: std.parseOctal("0600"),
	},
	},
	jwk: { secret: { secretName: "sso-jwk" } },
	tlscopy: kube.EmptyDirVolume(), # see initContainers_.secretCopy
	},
	securityContext: {
	runAsUser: 100,
	runAsGroup: 101,
	fsGroup: 101,
	},
	initContainers_: {
	# psycopg2 / libpq wants its TLS secret keys to be only
	# readable by running process. As k8s exposes
	# secrets/configmaps as symlinks, libpq gets confused
	# and refuses to start, unless we dereference these into
	# a local copy with proper permissions.
	secretCopy: kube.Container("secret-copy") {
	image: cfg.image,
	command: ["sh", "-c", "cp -fv /tls-orig/* /tls && chmod 0400 /tls/*"],
	volumeMounts_: {
	crdb: { mountPath: "/tls-orig" },
	tlscopy: { mountPath: "/tls" },
	},
	},
	},
	containers_: {
	web: kube.Container("sso") {
	image: cfg.image,
	ports_: {
	http: { containerPort: 5000 },
	},
	env_: {
	DATABASE_URI: "cockroachdb://%s@%s:%d/%s?sslmode=require&sslrootcert=%s&sslcert=%s&sslkey=%s" % [
	cfg.database.username,
	cfg.database.host,
	cfg.database.port,
	cfg.database.name,
	"/tls/ca.crt",
	"/tls/tls.crt",
	"/tls/tls.key",
	],

	LDAP_BIND_PASSWORD: top.secretRefs.ldap_bind_password,
	SECRET_KEY: top.secretRefs.secret_key,
	LOGGING_LEVEL: "INFO",

	JWT_ALG: "RS256",
	JWT_EXP: "600",

	JWT_PUBLIC_KEYS: "/jwk/public.pem",
	JWT_PRIVATE_KEY: "/jwk/private.pem",
	},
	volumeMounts_: {
	tlscopy: { mountPath: "/tls" },
	jwk: { mountPath: "/jwk" },
	},
	},
	},
	},
	},
	},
	},

	svc: ns.Contain(kube.Service("sso")) {
	target:: top.deployment,
	spec+: {
	ports: [
	{ name: "http", port: 5000, targetPort: 5000, protocol: "TCP" },
	],
	type: "ClusterIP",
	},
	},

	ingress: ns.Contain(kube.SimpleIngress("sso")) {
	hosts:: [cfg.domain],
	target_service:: top.svc,
	},
	}