Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / ec71cb50bde7b836a3ee2eda2e07e6f1e53274ef / . / bgpwtf / cccampix / kube / ix.libsonnet
blob: ff74f2b1217b6bb127d6205d878aa81d4ef8716b [file] [log] [blame]
local kube = import "../../../kube/kube.libsonnet";
{
IX: {
local ix = self,
local cfg = ix.cfg,
cfg:: {
image: "registry.k0.hswaw.net/bgpwtf/cccampix:1566475793-53f188c8fe83781ac057a3442830c6aa3dce5269",
domain: "ix-status.bgp.wtf",
grpcDomain: "ix-grpc.bgp.wtf",
octorpki: {
image: cfg.image,
storageClassName: "waw-hdd-redundant-2",
resources: {
requests: { cpu: "200m", memory: "1Gi" },
limits: { cpu: "1", memory: "2Gi" },
},
},
verifier: {
image: cfg.image,
db: {
host: "public.crdb-waw1.svc.cluster.local",
port: 26257,
username: "cccampix",
name: "cccampix",
tlsSecret: "client-cccampix-certificate",
},
},
pgpencryptor: {
image: cfg.image,
db: {
host: "public.crdb-waw1.svc.cluster.local",
port: 26257,
username: "cccampix",
name: "cccampix-pgpencryptor",
tlsSecret: "client-cccampix-certificate",
},
},
irr: {
image: cfg.image,
},
peeringdb: {
image: cfg.image,
},
frontend: {
image: cfg.image,
},
appName: "ix",
namespace: error "namespace must be defined",
prefix: "",
},
namespace: kube.Namespace(cfg.namespace),
name(component):: cfg.prefix + component,
metadata(component):: {
namespace: cfg.namespace,
labels: {
"app.kubernetes.io/name": cfg.appName,
"app.kubernetes.io/managed-by": "kubecfg",
"app.kubernetes.io/component": component,
},
},
octorpki: {
address:: "%s.%s.svc.cluster.local:%d" % [
"octorpki",
ix.cfg.namespace,
8080,
],
cache: kube.PersistentVolumeClaim(ix.name("octorpki")) {
metadata+: ix.metadata("octorpki"),
spec+: {
storageClassName: cfg.octorpki.storageClassName,
accessModes: [ "ReadWriteOnce" ],
resources: {
requests: {
storage: "2Gi",
},
},
},
},
deployment: kube.Deployment(ix.name("octorpki")) {
metadata+: ix.metadata("octorpki"),
spec+: {
template+: {
spec+: {
volumes_: {
cache: kube.PersistentVolumeClaimVolume(ix.octorpki.cache),
},
containers_: {
octorpki: kube.Container(ix.name("octorpki")){
image: cfg.octorpki.image,
args: [
"/octorpki/entrypoint.sh",
],
ports_: {
client: { containerPort: 8080 },
},
volumeMounts_: {
cache: { mountPath: "/cache" },
},
resources: cfg.octorpki.resources,
},
},
},
},
},
},
svc: kube.Service(ix.name("octorpki")) {
metadata+: ix.metadata("octorpki"),
target_pod:: ix.octorpki.deployment.spec.template,
spec+: {
ports: [
{ name: "client", port: 8080, targetPort: 8080, protocol: "TCP" },
],
},
},
},
component(name):: {
local component = self,
args:: error "args must be set",
name:: name,
port:: 4200,
volumes:: {},
volumeMounts:: {},
deployment: kube.Deployment(ix.name(name)) {
metadata+: ix.metadata(name),
spec+: {
template+: {
spec+: {
volumes_: component.volumes,
containers_: {
[name]: kube.Container(ix.name(name)) {
image: cfg[name].image,
args: component.args,
volumeMounts_: component.volumeMounts,
},
},
},
},
},
},
svc: kube.Service(ix.name(name)) {
metadata+: ix.metadata(name),
target_pod:: component.deployment.spec.template,
spec+: {
ports: [
{ name: "client", port: component.port, targetPort: component.port, protocol: "TCP" },
],
},
},
address:: "%s.%s.svc.cluster.local:%d" % [
component.name,
ix.cfg.namespace,
component.port,
],
},
irr: ix.component("irr") {
args: [
"/ix/irr",
"-hspki_disable",
"-listen_address=0.0.0.0:4200",
],
},
peeringdb: ix.component("peeringdb") {
args: [
"/ix/peeringdb",
"-hspki_disable",
"-listen_address=0.0.0.0:4200",
],
},
crdb:: {
volumes: {
tls: {
secret: {
secretName: cfg.verifier.db.tlsSecret,
defaultMode: kube.parseOctal("0400"),
},
},
},
volumeMounts: {
tls: {
mountPath: "/tls",
},
},
args(dbconf): [
"-dsn", "postgres://%s@%s:%d/%s?sslmode=require&sslrootcert=%s&sslcert=%s&sslkey=%s" % [
dbconf.username,
dbconf.host,
dbconf.port,
dbconf.name,
"/tls/ca.crt",
"/tls/tls.crt",
"/tls/tls.key",
],
]
},
verifier: ix.component("verifier") {
volumes: ix.crdb.volumes,
volumeMounts: ix.crdb.volumeMounts,
args: [
"/ix/verifier",
"-hspki_disable",
"-listen_address=0.0.0.0:4200",
"-peeringdb=" + ix.peeringdb.address,
"-irr=" + ix.irr.address,
"-octorpki=" + ix.octorpki.address,
"-pgpencryptor=" + ix.pgpencryptor.address,
] + ix.crdb.args(cfg.verifier.db),
},
pgpencryptor: ix.component("pgpencryptor") {
volumes: ix.crdb.volumes,
volumeMounts: ix.crdb.volumeMounts,
args: [
"/ix/pgpencryptor",
"-hspki_disable",
"-listen_address=0.0.0.0:4200",
] + ix.crdb.args(cfg.pgpencryptor.db),
},
frontend: ix.component("frontend") {
port: 8080,
args: [
"/ix/frontend.par",
"--flask_secret=dupa",
"--listen=0.0.0.0:8080",
"--verifier=" + ix.verifier.address,
],
},
ripeSync: kube.CronJob(ix.name("ripe-sync")) {
metadata+: ix.metadata("ripe-sync"),
spec+: {
schedule: "*/5 * * * *",
jobTemplate+: {
spec+: {
selector:: null,
template+: {
spec+: {
containers_: {
"ripe-sync": kube.Container(ix.name("ripe-sync")) {
image: cfg.image,
args: [
"/ix/ripe-sync.par",
"$(PASSWORD)",
ix.verifier.address,
],
env_: {
PASSWORD: {
secretKeyRef: {
name: ix.name("ripe-sync"),
key: "password",
},
},
},
},
},
},
},
},
},
},
},
ingress: kube.Ingress("ingress") {
metadata+: ix.metadata("public") {
annotations+: {
"kubernetes.io/tls-acme": "true",
"certmanager.k8s.io/cluster-issuer": "letsencrypt-prod",
"nginx.ingress.kubernetes.io/proxy-body-size": "0",
},
},
spec+: {
tls: [
{ hosts: [cfg.domain], secretName: "public-tls"}
],
rules: [
{
host: cfg.domain,
http: {
paths: [
{ path: "/", backend: ix.frontend.svc.name_port },
],
},
},
],
},
},
grpcIngress: kube.Ingress("grpc") {
metadata+: ix.metadata("grpc") {
annotations+: {
"kubernetes.io/tls-acme": "true",
"certmanager.k8s.io/cluster-issuer": "letsencrypt-prod",
"kubernetes.io/ingress.class": "nginx",
"nginx.ingress.kubernetes.io/ssl-redirect": "true",
"nginx.ingress.kubernetes.io/backend-protocol": "GRPC",
"nginx.ingress.kubernetes.io/whitelist-source-range": "185.236.240.34/32",
},
},
spec+: {
tls: [
{ hosts: [cfg.grpcDomain], secretName: "grpc-tls"}
],
rules: [
{
host: cfg.grpcDomain,
http: {
paths: [
{ path: "/", backend: ix.verifier.svc.name_port },
],
},
},
],
},
},
},
}