| # kubectl create secret generic sso --from-literal=secret_key=$(pwgen 24 1) --from-literal=ldap_bind_password=... |
| |
| local kube = import "../../../kube/kube.libsonnet"; |
| |
| { |
| local app = self, |
| local cfg = app.cfg, |
| |
| cfg:: { |
| namespace: "sso", |
| image: "registry.k0.hswaw.net/informatic/sso-v2@sha256:1118effa697489028c3cd5a6786d3f94f16dbbe2810b1bf1b0f65ea15bac1914", |
| domain: error "domain must be set", |
| database: { |
| host: error "database.host must be set", |
| name: error "database.name must be set", |
| username: error "database.username must be set", |
| port: 26257, |
| tlsSecret: error "database.tlsSecret must be set", |
| }, |
| }, |
| |
| ns: kube.Namespace(app.cfg.namespace), |
| |
| deployment: app.ns.Contain(kube.Deployment("sso")) { |
| spec+: { |
| replicas: 1, |
| template+: { |
| spec+: { |
| volumes_: { |
| crdb: { |
| secret: { |
| secretName: cfg.database.tlsSecret, |
| defaultMode: std.parseOctal("0600"), |
| }, |
| }, |
| jwk: { secret: { secretName: "sso-jwk" } }, |
| tlscopy: kube.EmptyDirVolume(), # see initContainers_.secretCopy |
| }, |
| securityContext: { |
| runAsUser: 100, |
| runAsGroup: 101, |
| fsGroup: 101, |
| }, |
| initContainers_: { |
| # psycopg2 / libpq wants its TLS secret keys to be only |
| # readable by running process. As k8s exposes |
| # secrets/configmaps as symlinks, libpq gets confused |
| # and refuses to start, unless we dereference these into |
| # a local copy with proper permissions. |
| secretCopy: kube.Container("secret-copy") { |
| image: cfg.image, |
| command: ["sh", "-c", "cp -fv /tls-orig/* /tls && chmod 0400 /tls/*"], |
| volumeMounts_: { |
| crdb: { mountPath: "/tls-orig" }, |
| tlscopy: { mountPath: "/tls" }, |
| }, |
| }, |
| }, |
| containers_: { |
| web: kube.Container("sso") { |
| image: cfg.image, |
| ports_: { |
| http: { containerPort: 5000 }, |
| }, |
| env_: { |
| DATABASE_URI: "cockroachdb://%s@%s:%d/%s?sslmode=require&sslrootcert=%s&sslcert=%s&sslkey=%s" % [ |
| cfg.database.username, |
| cfg.database.host, |
| cfg.database.port, |
| cfg.database.name, |
| "/tls/ca.crt", |
| "/tls/tls.crt", |
| "/tls/tls.key", |
| ], |
| |
| LDAP_BIND_PASSWORD: { secretKeyRef: { name: "sso", key: "ldap_bind_password" } }, |
| SECRET_KEY: { secretKeyRef: { name: "sso", key: "secret_key" } }, |
| LOGGING_LEVEL: "INFO", |
| |
| JWT_ALG: "RS256", |
| JWT_EXP: "600", |
| |
| JWT_PUBLIC_KEYS: "/jwk/public.pem", |
| JWT_PRIVATE_KEY: "/jwk/private.pem", |
| }, |
| volumeMounts_: { |
| tlscopy: { mountPath: "/tls" }, |
| jwk: { mountPath: "/jwk" }, |
| }, |
| }, |
| }, |
| }, |
| }, |
| }, |
| }, |
| |
| svc: app.ns.Contain(kube.Service("sso")) { |
| target_pod:: app.deployment.spec.template, |
| spec+: { |
| ports: [ |
| { name: "http", port: 5000, targetPort: 5000, protocol: "TCP" }, |
| ], |
| type: "ClusterIP", |
| }, |
| }, |
| |
| ingress: app.ns.Contain(kube.Ingress("sso")) { |
| metadata+: { |
| annotations+: { |
| "kubernetes.io/tls-acme": "true", |
| "cert-manager.io/cluster-issuer": "letsencrypt-prod", |
| "nginx.ingress.kubernetes.io/proxy-body-size": "0", |
| }, |
| }, |
| spec+: { |
| tls: [ |
| { |
| hosts: [cfg.domain], |
| secretName: "sso-tls", |
| }, |
| ], |
| rules: [ |
| { |
| host: cfg.domain, |
| http: { |
| paths: [ |
| { path: "/", backend: app.svc.name_port }, |
| ] |
| }, |
| } |
| ], |
| }, |
| }, |
| } |