| local kube = import "../../../kube/kube.libsonnet"; |
| |
| { |
| local app = self, |
| local cfg = app.cfg, |
| |
| cfg:: { |
| namespace: error "cfg.namespace must be set", |
| webDomain: error "cfg.webDomain must be set", |
| images: { |
| web: "registry.k0.hswaw.net/implr/mailman-web:0.6", |
| # https://github.com/octeep/wireproxy |
| wireproxy: "registry.k0.hswaw.net/implr/wireproxy:1.0.5" |
| }, |
| passwords: { |
| postgres: error "cfg.secrets.postgres must be set", |
| mailmanRest: error "cfg.secrets.mailmanRest must be set", |
| mailmanArchiver: error "cfg.secrets.mailmanArchiver must be set", |
| }, |
| smtp: { |
| user: "postorius", |
| # from mail server |
| password: error "cfg.smtp.password must be set", |
| }, |
| secrets: { |
| djangoSecretKey: error "cfg.secrets.djangoSecretKey must be set", |
| }, |
| wg: { |
| peerPubkey: error "cfg.wg.peerPubkey must be set", |
| privkey: error "cfg.wg.privkey must be set", |
| endpoint: error "cfg.wg.endpoint must be set", |
| }, |
| }, |
| |
| env:: { |
| WEB_DOMAIN: cfg.webDomain, |
| BIND_ADDR: "0.0.0.0:8080", |
| |
| //DB_HOST: app.postgres.svc.host, |
| DB_HOST: "boston-packets.hackerspace.pl", |
| DB_USER: "mailman", |
| DB_NAME: "mailman-web", |
| DB_PASS: kube.SecretKeyRef(app.config, "postgres-pass"), |
| DB_PORT: "5432", |
| |
| |
| SMTP_HOST: "mail.hackerspace.pl", |
| SMTP_PORT: "587", |
| SMTP_USER: "postorius", |
| SMTP_PASSWORD: kube.SecretKeyRef(app.config, "smtp-password"), |
| |
| SECRET_KEY: kube.SecretKeyRef(app.config, "django-secret-key"), |
| MAILMAN_REST_API_PASS: kube.SecretKeyRef(app.config, 'mailman-api-password'), |
| MAILMAN_ARCHIVER_KEY: kube.SecretKeyRef(app.config, 'mailman-archiver-key'), |
| |
| }, |
| |
| namespace: kube.Namespace(cfg.namespace), |
| local ns = self.namespace, |
| |
| |
| web: ns.Contain(kube.Deployment("web")) { |
| spec+: { |
| minReadySeconds: 10, |
| replicas: 1, |
| template+: { |
| spec+: { |
| initContainers_: { |
| migrate: kube.Container("migrate") { |
| image: cfg.images.web, |
| env_: app.env, |
| args: [ |
| "manage", "migrate", |
| ], |
| }, |
| }, |
| volumes_: { |
| config: kube.SecretVolume(app.wireproxyConfig), |
| }, |
| containers_: { |
| default: kube.Container("default") { |
| image: cfg.images.web, |
| env_: app.env, |
| args: ["serve"], |
| ports_: { |
| web: { containerPort: 8080 }, |
| }, |
| # readinessProbe: { |
| # httpGet: { |
| # path: "/", |
| # port: "web", |
| # }, |
| # failureThreshold: 10, |
| # periodSeconds: 5, |
| # }, |
| resources: { |
| requests: { |
| cpu: "250m", |
| memory: "1024M", |
| }, |
| limits: { |
| cpu: "1", |
| memory: "1024M", |
| }, |
| }, |
| }, |
| wireproxy: kube.Container("wireproxy") { |
| image: cfg.images.wireproxy, |
| resources: { |
| requests: { |
| cpu: "100m", |
| memory: "64M", |
| }, |
| limits: { |
| cpu: "200m", |
| memory: "128M", |
| }, |
| }, |
| volumeMounts_: { |
| config: { mountPath: "/etc/wireproxy/config", subPath: "config" } |
| }, |
| }, |
| }, |
| }, |
| }, |
| }, |
| }, |
| |
| local manifestIniMultisection(sname, values) = std.join('\n', |
| [std.manifestIni({ |
| sections: { |
| [sname]: i, |
| }}) for i in values]), |
| wireproxyConfig: ns.Contain(kube.Secret("wireproxy-config")) { |
| data: { |
| config: std.base64(std.manifestIni({ |
| sections: { |
| Interface: { |
| Address: cfg.wg.address, |
| PrivateKey: cfg.wg.privkey, |
| }, |
| Peer: { |
| PublicKey: cfg.wg.peerPubkey, |
| Endpoint: cfg.wg.endpoint, |
| }, |
| |
| }, |
| }) + manifestIniMultisection("TCPClientTunnel", [ |
| # { |
| # # postgres |
| # ListenPort: 5432, |
| # Target: "localhost:5432", |
| # }, |
| { |
| # mailman core api |
| BindAddress: "127.0.0.1:8001", |
| Target: "172.17.1.1:8001", |
| }, |
| ])), |
| }, |
| }, |
| |
| |
| svcWeb: ns.Contain(kube.Service("web")) { |
| target_pod: app.web.spec.template, |
| spec+: { |
| # hax |
| type: "LoadBalancer", |
| externalTrafficPolicy: "Local", |
| }, |
| }, |
| |
| |
| #ingress: ns.Contain(kube.Ingress("mailman")) { |
| # metadata+: { |
| # annotations+: { |
| # "kubernetes.io/tls-acme": "true", |
| # "certmanager.k8s.io/cluster-issuer": "letsencrypt-prod", |
| # "nginx.ingress.kubernetes.io/proxy-body-size": "0", |
| # }, |
| # }, |
| # spec+: { |
| # tls: [ |
| # { |
| # hosts: [cfg.webDomain], |
| # secretName: "mailman-ingress-tls", |
| # }, |
| # ], |
| # rules: [ |
| # { |
| # host: cfg.webDomain, |
| # http: { |
| # paths: [ |
| # { path: "/", backend: app.svcWeb.name_port }, |
| # //{ path: "/static/", backend: app.svcStatic.name_port }, |
| # ], |
| # }, |
| # }, |
| # ], |
| # }, |
| #}, |
| |
| config: ns.Contain(kube.Secret("config")) { |
| data_: { |
| "postgres-pass": cfg.passwords.postgres, |
| "django-secret-key": cfg.secrets.djangoSecretKey, |
| |
| "smtp-password": cfg.smtp.password, |
| |
| "mailman-api-password": cfg.mailmanCore.mailmanApiPass, |
| "mailman-archiver-key": cfg.mailmanCore.mailmanArchiverKey, |
| |
| }, |
| }, |
| } |