bgpwtf/cccampix: draw the rest of the fucking owl
Change-Id: I49fd5906e69512e8f2d414f406edc0179522f225
diff --git a/bgpwtf/cccampix/kube/ix.libsonnet b/bgpwtf/cccampix/kube/ix.libsonnet
index ec89291..1503a47 100644
--- a/bgpwtf/cccampix/kube/ix.libsonnet
+++ b/bgpwtf/cccampix/kube/ix.libsonnet
@@ -5,15 +5,41 @@
local ix = self,
local cfg = ix.cfg,
cfg:: {
+ image: "registry.k0.hswaw.net/bgpwtf/cccampix:1565559239-95928eecd7e35e8582fa011d1457643ca398c310",
+
+ domain: "ix-status.bgp.wtf",
octorpki: {
- image: "registry.k0.hswaw.net/q3k/octorpki:1565367301-909a166cac3bdade6d5b8344fa590aa884114911",
+ image: "registry.k0.hswaw.net/bgpwtf/cccampix:1565469898-95928eecd7e35e8582fa011d1457643ca398c310",
storageClassName: "waw-hdd-redundant-2",
resources: {
- requests: { cpu: "100m", memory: "500Mi" },
- limits: { cpu: "500m", memory: "1Gi" },
+ requests: { cpu: "200m", memory: "1Gi" },
+ limits: { cpu: "1", memory: "2Gi" },
},
},
+ verifier: {
+ image: cfg.image,
+ db: {
+ host: "public.crdb-waw1.svc.cluster.local",
+ port: 26257,
+ username: "cccampix",
+ name: "cccampix",
+ tlsSecret: "client-cccampix-certificate",
+ },
+ },
+
+ irr: {
+ image: cfg.image,
+ },
+
+ peeringdb: {
+ image: cfg.image,
+ },
+
+ frontend: {
+ image: cfg.image,
+ },
+
appName: "ix",
namespace: error "namespace must be defined",
prefix: "",
@@ -31,6 +57,11 @@
},
octorpki: {
+ address:: "%s.%s.svc.cluster.local:%d" % [
+ "octorpki",
+ ix.cfg.namespace,
+ 8080,
+ ],
cache: kube.PersistentVolumeClaim(ix.name("octorpki")) {
metadata+: ix.metadata("octorpki"),
spec+: {
@@ -80,5 +111,131 @@
},
},
},
+
+ component(name):: {
+ local component = self,
+ args:: error "args must be set",
+ name:: name,
+ port:: 4200,
+ volumes:: {},
+ volumeMounts:: {},
+
+ deployment: kube.Deployment(ix.name(name)) {
+ metadata+: ix.metadata(name),
+ spec+: {
+ template+: {
+ spec+: {
+ volumes_: component.volumes,
+ containers_: {
+ [name]: kube.Container(ix.name(name)) {
+ image: cfg[name].image,
+ args: component.args,
+ volumeMounts_: component.volumeMounts,
+ },
+ },
+ },
+ },
+ },
+ },
+ svc: kube.Service(ix.name(name)) {
+ metadata+: ix.metadata(name),
+ target_pod:: component.deployment.spec.template,
+ spec+: {
+ ports: [
+ { name: "client", port: component.port, targetPort: component.port, protocol: "TCP" },
+ ],
+ },
+ },
+
+ address:: "%s.%s.svc.cluster.local:%d" % [
+ component.name,
+ ix.cfg.namespace,
+ component.port,
+ ],
+ },
+
+ irr: ix.component("irr") {
+ args: [
+ "/ix/irr",
+ "-hspki_disable",
+ "-listen_address=0.0.0.0:4200",
+ ],
+ },
+
+ peeringdb: ix.component("peeringdb") {
+ args: [
+ "/ix/peeringdb",
+ "-hspki_disable",
+ "-listen_address=0.0.0.0:4200",
+ ],
+ },
+
+ verifier: ix.component("verifier") {
+ volumes: {
+ tls: {
+ secret: {
+ secretName: cfg.verifier.db.tlsSecret,
+ defaultMode: kube.parseOctal("0400"),
+ },
+ },
+ },
+ volumeMounts: {
+ tls: {
+ mountPath: "/tls",
+ },
+ },
+ args: [
+ "/ix/verifier",
+ "-hspki_disable",
+ "-dsn", "postgres://%s@%s:%d/%s?sslmode=require&sslrootcert=%s&sslcert=%s&sslkey=%s" % [
+ cfg.verifier.db.username,
+ cfg.verifier.db.host,
+ cfg.verifier.db.port,
+ cfg.verifier.db.name,
+ "/tls/ca.crt",
+ "/tls/tls.crt",
+ "/tls/tls.key",
+ ],
+ "-peeringdb=" + ix.peeringdb.address,
+ "-irr=" + ix.irr.address,
+ "-listen_address=0.0.0.0:4200",
+ "-octorpki=" + ix.octorpki.address,
+ ],
+ },
+
+ frontend: ix.component("frontend") {
+ port: 8080,
+ args: [
+ "/ix/frontend.par",
+ "--flask_secret=dupa",
+ "--listen=0.0.0.0:8080",
+ "--verifier=" + ix.verifier.address,
+ ],
+ },
+
+ ingress: kube.Ingress("ingress") {
+ metadata+: ix.metadata("public") {
+ annotations+: {
+ "kubernetes.io/tls-acme": "true",
+ "certmanager.k8s.io/cluster-issuer": "letsencrypt-prod",
+ "nginx.ingress.kubernetes.io/proxy-body-size": "0",
+ },
+ },
+ spec+: {
+ tls: [
+ { hosts: [cfg.domain], secretName: "public-tls"}
+ ],
+ rules: [
+ {
+ host: cfg.domain,
+ http: {
+ paths: [
+ { path: "/", backend: ix.frontend.svc.name_port },
+ ],
+ },
+ },
+ ],
+ },
+ },
},
}