blob: 58e3f8b2e73e0ad7d21358a8c22a10c786f79e55 [file] [log] [blame]
# kubectl create secret generic sso --from-literal=secret_key=$(pwgen 24 1) --from-literal=ldap_bind_password=...
local kube = import "../../../kube/hscloud.libsonnet";
{
local app = self,
local cfg = app.cfg,
cfg:: {
namespace: "sso",
image: "registry.k0.hswaw.net/informatic/sso-v2@sha256:1118effa697489028c3cd5a6786d3f94f16dbbe2810b1bf1b0f65ea15bac1914",
domain: error "domain must be set",
database: {
host: error "database.host must be set",
name: error "database.name must be set",
username: error "database.username must be set",
port: 26257,
tlsSecret: error "database.tlsSecret must be set",
},
},
ns: kube.Namespace(app.cfg.namespace),
deployment: app.ns.Contain(kube.Deployment("sso")) {
spec+: {
replicas: 1,
template+: {
spec+: {
volumes_: {
crdb: {
secret: {
secretName: cfg.database.tlsSecret,
defaultMode: std.parseOctal("0600"),
},
},
jwk: { secret: { secretName: "sso-jwk" } },
tlscopy: kube.EmptyDirVolume(), # see initContainers_.secretCopy
},
securityContext: {
runAsUser: 100,
runAsGroup: 101,
fsGroup: 101,
},
initContainers_: {
# psycopg2 / libpq wants its TLS secret keys to be only
# readable by running process. As k8s exposes
# secrets/configmaps as symlinks, libpq gets confused
# and refuses to start, unless we dereference these into
# a local copy with proper permissions.
secretCopy: kube.Container("secret-copy") {
image: cfg.image,
command: ["sh", "-c", "cp -fv /tls-orig/* /tls && chmod 0400 /tls/*"],
volumeMounts_: {
crdb: { mountPath: "/tls-orig" },
tlscopy: { mountPath: "/tls" },
},
},
},
containers_: {
web: kube.Container("sso") {
image: cfg.image,
ports_: {
http: { containerPort: 5000 },
},
env_: {
DATABASE_URI: "cockroachdb://%s@%s:%d/%s?sslmode=require&sslrootcert=%s&sslcert=%s&sslkey=%s" % [
cfg.database.username,
cfg.database.host,
cfg.database.port,
cfg.database.name,
"/tls/ca.crt",
"/tls/tls.crt",
"/tls/tls.key",
],
LDAP_BIND_PASSWORD: { secretKeyRef: { name: "sso", key: "ldap_bind_password" } },
SECRET_KEY: { secretKeyRef: { name: "sso", key: "secret_key" } },
LOGGING_LEVEL: "INFO",
JWT_ALG: "RS256",
JWT_EXP: "600",
JWT_PUBLIC_KEYS: "/jwk/public.pem",
JWT_PRIVATE_KEY: "/jwk/private.pem",
},
volumeMounts_: {
tlscopy: { mountPath: "/tls" },
jwk: { mountPath: "/jwk" },
},
},
},
},
},
},
},
svc: app.ns.Contain(kube.Service("sso")) {
target_pod:: app.deployment.spec.template,
spec+: {
ports: [
{ name: "http", port: 5000, targetPort: 5000, protocol: "TCP" },
],
type: "ClusterIP",
},
},
ingress: app.ns.Contain(kube.SimpleIngress("sso")) {
hosts:: [cfg.domain],
target_service:: app.svc,
},
}