cluster/kube: split up cluster.jsonnet
It was getting large and unwieldy (to the point where kubecfg was slow).
In this change, we:
- move the Cluster function to cluster.libsonnet
- move the Cluster instantiation into k0.libsonnet
- shuffle some fields around to make sure things are well split between
k0-specific and general cluster configs.
- add 'view' files that build on 'cluster.libsonnet' to allow rendering
either the entire k0 state, or some subsets (for speed)
- update the documentation, drive-by some small fixes and reindantation
Change-Id: I4b8d920b600df79100295267efe21b8c82699d5b
diff --git a/cluster/kube/k0.libsonnet b/cluster/kube/k0.libsonnet
new file mode 100644
index 0000000..d4c7256
--- /dev/null
+++ b/cluster/kube/k0.libsonnet
@@ -0,0 +1,338 @@
+// k0.hswaw.net kubernetes cluster
+// This defines the cluster as a single object.
+// Use the sibling k0*.jsonnet 'view' files to actually apply the configuration.
+
+local kube = import "../../kube/kube.libsonnet";
+local policies = import "../../kube/policies.libsonnet";
+
+local cluster = import "cluster.libsonnet";
+
+local cockroachdb = import "lib/cockroachdb.libsonnet";
+local registry = import "lib/registry.libsonnet";
+local rook = import "lib/rook.libsonnet";
+
+{
+ k0: {
+ local k0 = self,
+ cluster: cluster.Cluster("k0", "hswaw.net") {
+ cfg+: {
+ storageClassNameParanoid: k0.ceph.waw2Pools.blockParanoid.name,
+ },
+ metallb+: {
+ cfg+: {
+ peers: [
+ {
+ "peer-address": "185.236.240.33",
+ "peer-asn": 65001,
+ "my-asn": 65002,
+ },
+ ],
+ addressPools: [
+ {
+ name: "public-v4-1",
+ protocol: "bgp",
+ addresses: [
+ "185.236.240.48/28",
+ ],
+ },
+ {
+ name: "public-v4-2",
+ protocol: "bgp",
+ addresses: [
+ "185.236.240.112/28"
+ ],
+ },
+ ],
+ },
+ },
+ },
+
+ // Docker registry
+ registry: registry.Environment {
+ cfg+: {
+ domain: "registry.%s" % [k0.cluster.fqdn],
+ storageClassName: k0.cluster.cfg.storageClassNameParanoid,
+ objectStorageName: "waw-hdd-redundant-2-object",
+ },
+ },
+
+ // CockroachDB, running on bc01n{01,02,03}.
+ cockroach: {
+ waw2: cockroachdb.Cluster("crdb-waw1") {
+ cfg+: {
+ topology: [
+ { name: "bc01n01", node: "bc01n01.hswaw.net" },
+ { name: "bc01n02", node: "bc01n02.hswaw.net" },
+ { name: "bc01n03", node: "bc01n03.hswaw.net" },
+ ],
+ // Host path on SSD.
+ hostPath: "/var/db/crdb-waw1",
+ },
+ },
+ clients: {
+ cccampix: k0.cockroach.waw2.Client("cccampix"),
+ cccampixDev: k0.cockroach.waw2.Client("cccampix-dev"),
+ buglessDev: k0.cockroach.waw2.Client("bugless-dev"),
+ sso: k0.cockroach.waw2.Client("sso"),
+ },
+ },
+
+ ceph: {
+ // waw1 cluster - dead as of 2019/08/06, data corruption
+ // waw2 cluster: shitty 7200RPM 2.5" HDDs
+ waw2: rook.Cluster(k0.cluster.rook, "ceph-waw2") {
+ spec: {
+ mon: {
+ count: 3,
+ allowMultiplePerNode: false,
+ },
+ storage: {
+ useAllNodes: false,
+ useAllDevices: false,
+ config: {
+ databaseSizeMB: "1024",
+ journalSizeMB: "1024",
+ },
+ nodes: [
+ {
+ name: "bc01n01.hswaw.net",
+ location: "rack=dcr01 chassis=bc01 host=bc01n01",
+ devices: [ { name: "sda" } ],
+ },
+ {
+ name: "bc01n02.hswaw.net",
+ location: "rack=dcr01 chassis=bc01 host=bc01n02",
+ devices: [ { name: "sda" } ],
+ },
+ {
+ name: "bc01n03.hswaw.net",
+ location: "rack=dcr01 chassis=bc01 host=bc01n03",
+ devices: [ { name: "sda" } ],
+ },
+ ],
+ },
+ benji:: {
+ metadataStorageClass: "waw-hdd-paranoid-2",
+ encryptionPassword: std.split((importstr "../secrets/plain/k0-benji-encryption-password"), '\n')[0],
+ pools: [
+ "waw-hdd-redundant-2",
+ "waw-hdd-redundant-2-metadata",
+ "waw-hdd-paranoid-2",
+ "waw-hdd-yolo-2",
+ ],
+ s3Configuration: {
+ awsAccessKeyId: "RPYZIROFXNLQVU2WJ4R3",
+ awsSecretAccessKey: std.split((importstr "../secrets/plain/k0-benji-secret-access-key"), '\n')[0],
+ bucketName: "benji-k0-backups",
+ endpointUrl: "https://s3.eu-central-1.wasabisys.com/",
+ },
+ }
+ },
+ },
+ waw2Pools: {
+ // redundant block storage
+ blockRedundant: rook.ECBlockPool(k0.ceph.waw2, "waw-hdd-redundant-2") {
+ spec: {
+ failureDomain: "host",
+ erasureCoded: {
+ dataChunks: 2,
+ codingChunks: 1,
+ },
+ },
+ },
+ // paranoid block storage (3 replicas)
+ blockParanoid: rook.ReplicatedBlockPool(k0.ceph.waw2, "waw-hdd-paranoid-2") {
+ spec: {
+ failureDomain: "host",
+ replicated: {
+ size: 3,
+ },
+ },
+ },
+ // yolo block storage (no replicas!)
+ blockYolo: rook.ReplicatedBlockPool(k0.ceph.waw2, "waw-hdd-yolo-2") {
+ spec: {
+ failureDomain: "host",
+ replicated: {
+ size: 1,
+ },
+ },
+ },
+ objectRedundant: rook.S3ObjectStore(k0.ceph.waw2, "waw-hdd-redundant-2-object") {
+ spec: {
+ metadataPool: {
+ failureDomain: "host",
+ replicated: { size: 3 },
+ },
+ dataPool: {
+ failureDomain: "host",
+ erasureCoded: {
+ dataChunks: 2,
+ codingChunks: 1,
+ },
+ },
+ },
+ },
+ },
+
+ // waw3: 6TB SAS 3.5" HDDs
+ waw3: rook.Cluster(k0.cluster.rook, "ceph-waw3") {
+ spec: {
+ mon: {
+ count: 3,
+ allowMultiplePerNode: false,
+ },
+ storage: {
+ useAllNodes: false,
+ useAllDevices: false,
+ config: {
+ databaseSizeMB: "1024",
+ journalSizeMB: "1024",
+ },
+ nodes: [
+ {
+ name: "dcr01s22.hswaw.net",
+ location: "rack=dcr01 host=dcr01s22",
+ devices: [
+ // https://github.com/rook/rook/issues/1228
+ //{ name: "disk/by-id/wwan-0x" + wwan }
+ //for wwan in [
+ // "5000c5008508c433",
+ // "5000c500850989cf",
+ // "5000c5008508f843",
+ // "5000c5008508baf7",
+ //]
+ { name: "sdn" },
+ { name: "sda" },
+ { name: "sdb" },
+ { name: "sdc" },
+ ],
+ },
+ {
+ name: "dcr01s24.hswaw.net",
+ location: "rack=dcr01 host=dcr01s22",
+ devices: [
+ // https://github.com/rook/rook/issues/1228
+ //{ name: "disk/by-id/wwan-0x" + wwan }
+ //for wwan in [
+ // "5000c5008508ee03",
+ // "5000c5008508c9ef",
+ // "5000c5008508df33",
+ // "5000c5008508dd3b",
+ //]
+ { name: "sdm" },
+ { name: "sda" },
+ { name: "sdb" },
+ { name: "sdc" },
+ ],
+ },
+ ],
+ },
+ benji:: {
+ metadataStorageClass: "waw-hdd-redundant-3",
+ encryptionPassword: std.split((importstr "../secrets/plain/k0-benji-encryption-password"), '\n')[0],
+ pools: [
+ "waw-hdd-redundant-3",
+ "waw-hdd-redundant-3-metadata",
+ "waw-hdd-yolo-3",
+ ],
+ s3Configuration: {
+ awsAccessKeyId: "RPYZIROFXNLQVU2WJ4R3",
+ awsSecretAccessKey: std.split((importstr "../secrets/plain/k0-benji-secret-access-key"), '\n')[0],
+ bucketName: "benji-k0-backups-waw3",
+ endpointUrl: "https://s3.eu-central-1.wasabisys.com/",
+ },
+ }
+ },
+ },
+ waw3Pools: {
+ // redundant block storage
+ blockRedundant: rook.ECBlockPool(k0.ceph.waw3, "waw-hdd-redundant-3") {
+ metadataReplicas: 2,
+ spec: {
+ failureDomain: "host",
+ replicated: {
+ size: 2,
+ },
+ },
+ },
+ // yolo block storage (low usage, no host redundancy)
+ blockYolo: rook.ReplicatedBlockPool(k0.ceph.waw3, "waw-hdd-yolo-3") {
+ spec: {
+ failureDomain: "osd",
+ erasureCoded: {
+ dataChunks: 12,
+ codingChunks: 4,
+ },
+ },
+ },
+ objectRedundant: rook.S3ObjectStore(k0.ceph.waw3, "waw-hdd-redundant-3-object") {
+ spec: {
+ metadataPool: {
+ failureDomain: "host",
+ replicated: { size: 2 },
+ },
+ dataPool: {
+ failureDomain: "host",
+ replicated: { size: 2 },
+ },
+ },
+ },
+ },
+
+ // Clients for S3/radosgw storage.
+ clients: {
+ # Used for owncloud.hackerspace.pl, which for now lives on boston-packets.hackerspace.pl.
+ nextcloudWaw3: kube.CephObjectStoreUser("nextcloud") {
+ metadata+: {
+ namespace: "ceph-waw3",
+ },
+ spec: {
+ store: "waw-hdd-redundant-3-object",
+ displayName: "nextcloud",
+ },
+ },
+
+ # nuke@hackerspace.pl's personal storage.
+ nukePersonalWaw3: kube.CephObjectStoreUser("nuke-personal") {
+ metadata+: {
+ namespace: "ceph-waw3",
+ },
+ spec: {
+ store: "waw-hdd-redundant-3-object",
+ displayName: "nuke-personal",
+ },
+ },
+
+ # patryk@hackerspace.pl's ArmA3 mod bucket.
+ cz2ArmaModsWaw3: kube.CephObjectStoreUser("cz2-arma3mods") {
+ metadata+: {
+ namespace: "ceph-waw3",
+ },
+ spec: {
+ store: "waw-hdd-redundant-3-object",
+ displayName: "cz2-arma3mods",
+ },
+ },
+ },
+ },
+
+
+ # These are policies allowing for Insecure pods in some namespaces.
+ # A lot of them are spurious and come from the fact that we deployed
+ # these namespaces before we deployed the draconian PodSecurityPolicy
+ # we have now. This should be fixed by setting up some more granular
+ # policies, or fixing the workloads to not need some of the permission
+ # bits they use, whatever those might be.
+ # TODO(q3k): fix this?
+ unnecessarilyInsecureNamespaces: [
+ policies.AllowNamespaceInsecure("ceph-waw2"),
+ policies.AllowNamespaceInsecure("ceph-waw3"),
+ policies.AllowNamespaceInsecure("matrix"),
+ policies.AllowNamespaceInsecure("registry"),
+ policies.AllowNamespaceInsecure("internet"),
+ # TODO(implr): restricted policy with CAP_NET_ADMIN and tuntap, but no full root
+ policies.AllowNamespaceInsecure("implr-vpn"),
+ ],
+ },
+}