| local kube = import "../../../kube/kube.libsonnet"; |
| |
| { |
| IX: { |
| local ix = self, |
| local cfg = ix.cfg, |
| cfg:: { |
| image: "registry.k0.hswaw.net/bgpwtf/cccampix:1566475793-53f188c8fe83781ac057a3442830c6aa3dce5269", |
| |
| domain: "ix-status.bgp.wtf", |
| grpcDomain: "ix-grpc.bgp.wtf", |
| octorpki: { |
| image: cfg.image, |
| storageClassName: "waw-hdd-redundant-2", |
| resources: { |
| requests: { cpu: "200m", memory: "1Gi" }, |
| limits: { cpu: "1", memory: "2Gi" }, |
| }, |
| }, |
| |
| verifier: { |
| image: cfg.image, |
| db: { |
| host: "public.crdb-waw1.svc.cluster.local", |
| port: 26257, |
| username: "cccampix", |
| name: "cccampix", |
| tlsSecret: "client-cccampix-certificate", |
| }, |
| }, |
| |
| pgpencryptor: { |
| image: cfg.image, |
| db: { |
| host: "public.crdb-waw1.svc.cluster.local", |
| port: 26257, |
| username: "cccampix", |
| name: "cccampix-pgpencryptor", |
| tlsSecret: "client-cccampix-certificate", |
| }, |
| }, |
| |
| irr: { |
| image: cfg.image, |
| }, |
| |
| peeringdb: { |
| image: cfg.image, |
| }, |
| |
| frontend: { |
| image: cfg.image, |
| }, |
| |
| appName: "ix", |
| namespace: error "namespace must be defined", |
| prefix: "", |
| }, |
| |
| namespace: kube.Namespace(cfg.namespace), |
| name(component):: cfg.prefix + component, |
| metadata(component):: { |
| namespace: cfg.namespace, |
| labels: { |
| "app.kubernetes.io/name": cfg.appName, |
| "app.kubernetes.io/managed-by": "kubecfg", |
| "app.kubernetes.io/component": component, |
| }, |
| }, |
| |
| octorpki: { |
| address:: "%s.%s.svc.cluster.local:%d" % [ |
| "octorpki", |
| ix.cfg.namespace, |
| 8080, |
| ], |
| cache: kube.PersistentVolumeClaim(ix.name("octorpki")) { |
| metadata+: ix.metadata("octorpki"), |
| spec+: { |
| storageClassName: cfg.octorpki.storageClassName, |
| accessModes: [ "ReadWriteOnce" ], |
| resources: { |
| requests: { |
| storage: "2Gi", |
| }, |
| }, |
| }, |
| }, |
| deployment: kube.Deployment(ix.name("octorpki")) { |
| metadata+: ix.metadata("octorpki"), |
| spec+: { |
| template+: { |
| spec+: { |
| volumes_: { |
| cache: kube.PersistentVolumeClaimVolume(ix.octorpki.cache), |
| }, |
| containers_: { |
| octorpki: kube.Container(ix.name("octorpki")){ |
| image: cfg.octorpki.image, |
| args: [ |
| "/octorpki/entrypoint.sh", |
| ], |
| ports_: { |
| client: { containerPort: 8080 }, |
| }, |
| volumeMounts_: { |
| cache: { mountPath: "/cache" }, |
| }, |
| resources: cfg.octorpki.resources, |
| }, |
| }, |
| }, |
| }, |
| }, |
| }, |
| svc: kube.Service(ix.name("octorpki")) { |
| metadata+: ix.metadata("octorpki"), |
| target_pod:: ix.octorpki.deployment.spec.template, |
| spec+: { |
| ports: [ |
| { name: "client", port: 8080, targetPort: 8080, protocol: "TCP" }, |
| ], |
| }, |
| }, |
| }, |
| |
| component(name):: { |
| local component = self, |
| args:: error "args must be set", |
| name:: name, |
| port:: 4200, |
| volumes:: {}, |
| volumeMounts:: {}, |
| |
| deployment: kube.Deployment(ix.name(name)) { |
| metadata+: ix.metadata(name), |
| spec+: { |
| template+: { |
| spec+: { |
| volumes_: component.volumes, |
| containers_: { |
| [name]: kube.Container(ix.name(name)) { |
| image: cfg[name].image, |
| args: component.args, |
| volumeMounts_: component.volumeMounts, |
| }, |
| }, |
| }, |
| }, |
| }, |
| }, |
| svc: kube.Service(ix.name(name)) { |
| metadata+: ix.metadata(name), |
| target_pod:: component.deployment.spec.template, |
| spec+: { |
| ports: [ |
| { name: "client", port: component.port, targetPort: component.port, protocol: "TCP" }, |
| ], |
| }, |
| }, |
| |
| address:: "%s.%s.svc.cluster.local:%d" % [ |
| component.name, |
| ix.cfg.namespace, |
| component.port, |
| ], |
| }, |
| |
| irr: ix.component("irr") { |
| args: [ |
| "/ix/irr", |
| "-hspki_disable", |
| "-listen_address=0.0.0.0:4200", |
| ], |
| }, |
| |
| peeringdb: ix.component("peeringdb") { |
| args: [ |
| "/ix/peeringdb", |
| "-hspki_disable", |
| "-listen_address=0.0.0.0:4200", |
| ], |
| }, |
| |
| crdb:: { |
| volumes: { |
| tls: { |
| secret: { |
| secretName: cfg.verifier.db.tlsSecret, |
| defaultMode: kube.parseOctal("0400"), |
| }, |
| }, |
| }, |
| volumeMounts: { |
| tls: { |
| mountPath: "/tls", |
| }, |
| }, |
| args(dbconf): [ |
| "-dsn", "postgres://%s@%s:%d/%s?sslmode=require&sslrootcert=%s&sslcert=%s&sslkey=%s" % [ |
| dbconf.username, |
| dbconf.host, |
| dbconf.port, |
| dbconf.name, |
| "/tls/ca.crt", |
| "/tls/tls.crt", |
| "/tls/tls.key", |
| ], |
| ] |
| }, |
| |
| verifier: ix.component("verifier") { |
| volumes: ix.crdb.volumes, |
| volumeMounts: ix.crdb.volumeMounts, |
| args: [ |
| "/ix/verifier", |
| "-hspki_disable", |
| "-listen_address=0.0.0.0:4200", |
| "-peeringdb=" + ix.peeringdb.address, |
| "-irr=" + ix.irr.address, |
| "-octorpki=" + ix.octorpki.address, |
| "-pgpencryptor=" + ix.pgpencryptor.address, |
| ] + ix.crdb.args(cfg.verifier.db), |
| }, |
| |
| pgpencryptor: ix.component("pgpencryptor") { |
| volumes: ix.crdb.volumes, |
| volumeMounts: ix.crdb.volumeMounts, |
| args: [ |
| "/ix/pgpencryptor", |
| "-hspki_disable", |
| "-listen_address=0.0.0.0:4200", |
| ] + ix.crdb.args(cfg.pgpencryptor.db), |
| }, |
| |
| frontend: ix.component("frontend") { |
| port: 8080, |
| args: [ |
| "/ix/frontend.par", |
| "--flask_secret=dupa", |
| "--listen=0.0.0.0:8080", |
| "--verifier=" + ix.verifier.address, |
| ], |
| }, |
| |
| ripeSync: kube.CronJob(ix.name("ripe-sync")) { |
| metadata+: ix.metadata("ripe-sync"), |
| spec+: { |
| schedule: "*/5 * * * *", |
| jobTemplate+: { |
| spec+: { |
| selector:: null, |
| template+: { |
| spec+: { |
| containers_: { |
| "ripe-sync": kube.Container(ix.name("ripe-sync")) { |
| image: cfg.image, |
| args: [ |
| "/ix/ripe-sync.par", |
| "$(PASSWORD)", |
| ix.verifier.address, |
| ], |
| env_: { |
| PASSWORD: { |
| secretKeyRef: { |
| name: ix.name("ripe-sync"), |
| key: "password", |
| }, |
| }, |
| }, |
| }, |
| }, |
| }, |
| }, |
| }, |
| }, |
| }, |
| }, |
| |
| ingress: kube.Ingress("ingress") { |
| metadata+: ix.metadata("public") { |
| annotations+: { |
| "kubernetes.io/tls-acme": "true", |
| "certmanager.k8s.io/cluster-issuer": "letsencrypt-prod", |
| "nginx.ingress.kubernetes.io/proxy-body-size": "0", |
| }, |
| }, |
| spec+: { |
| tls: [ |
| { hosts: [cfg.domain], secretName: "public-tls"} |
| ], |
| rules: [ |
| { |
| host: cfg.domain, |
| http: { |
| paths: [ |
| { path: "/", backend: ix.frontend.svc.name_port }, |
| ], |
| }, |
| }, |
| ], |
| }, |
| }, |
| |
| grpcIngress: kube.Ingress("grpc") { |
| metadata+: ix.metadata("grpc") { |
| annotations+: { |
| "kubernetes.io/tls-acme": "true", |
| "certmanager.k8s.io/cluster-issuer": "letsencrypt-prod", |
| "kubernetes.io/ingress.class": "nginx", |
| "nginx.ingress.kubernetes.io/ssl-redirect": "true", |
| "nginx.ingress.kubernetes.io/backend-protocol": "GRPC", |
| "nginx.ingress.kubernetes.io/whitelist-source-range": "185.236.240.34/32", |
| }, |
| }, |
| spec+: { |
| tls: [ |
| { hosts: [cfg.grpcDomain], secretName: "grpc-tls"} |
| ], |
| rules: [ |
| { |
| host: cfg.grpcDomain, |
| http: { |
| paths: [ |
| { path: "/", backend: ix.verifier.svc.name_port }, |
| ], |
| }, |
| }, |
| ], |
| }, |
| }, |
| }, |
| } |