Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 1439fde1ba2412f7350d5b6ba7a132be573647dd / . / ops / sso / kube / sso.libsonnet
blob: dbd85bb2900c1082d356074aa5ff436ba8a33487 [file] [log] [blame]
Piotr Dobrowolskid6c97592020-10-10 18:26:25 +0200[diff] [blame]1# kubectl create secret generic sso --from-literal=secret_key=$(pwgen 24 1) --from-literal=ldap_bind_password=...
2
Radek Pietruszewskif5844312023-10-27 22:41:18 +0200[diff] [blame]3local kube = import "../../../kube/hscloud.libsonnet";
Piotr Dobrowolskid6c97592020-10-10 18:26:25 +0200[diff] [blame]4
5{
radexc995c212023-11-24 12:01:49 +0100[diff] [blame]6 local top = self,
7 local cfg = top.cfg,
Piotr Dobrowolskid6c97592020-10-10 18:26:25 +0200[diff] [blame]8
9 cfg:: {
10 namespace: "sso",
Piotr Dobrowolskia13208b2022-04-30 00:31:25 +0200[diff] [blame]11 image: "registry.k0.hswaw.net/informatic/sso-v2@sha256:1118effa697489028c3cd5a6786d3f94f16dbbe2810b1bf1b0f65ea15bac1914",
Piotr Dobrowolskid6c97592020-10-10 18:26:25 +0200[diff] [blame]12 domain: error "domain must be set",
13 database: {
14 host: error "database.host must be set",
15 name: error "database.name must be set",
16 username: error "database.username must be set",
17 port: 26257,
18 tlsSecret: error "database.tlsSecret must be set",
19 },
20 },
21
radex1439fde2023-11-24 12:22:22 +0100[diff] [blame^]22 secretRefs:: {
23 ldap_bind_password: { secretKeyRef: { name: "sso", key: "ldap_bind_password" } },
24 secret_key: { secretKeyRef: { name: "sso", key: "secret_key" } },
25 },
26
radexc995c212023-11-24 12:01:49 +0100[diff] [blame]27 local ns = kube.Namespace(top.cfg.namespace),
Piotr Dobrowolskid6c97592020-10-10 18:26:25 +0200[diff] [blame]28
radex99ed6a72023-11-24 11:42:55 +0100[diff] [blame]29 deployment: ns.Contain(kube.Deployment("sso")) {
Piotr Dobrowolskid6c97592020-10-10 18:26:25 +0200[diff] [blame]30 spec+: {
31 replicas: 1,
32 template+: {
33 spec+: {
34 volumes_: {
35 crdb: {
36 secret: {
37 secretName: cfg.database.tlsSecret,
38 defaultMode: std.parseOctal("0600"),
39 },
40 },
Piotr Dobrowolskia13208b2022-04-30 00:31:25 +0200[diff] [blame]41 jwk: { secret: { secretName: "sso-jwk" } },
Piotr Dobrowolskid6c97592020-10-10 18:26:25 +0200[diff] [blame]42 tlscopy: kube.EmptyDirVolume(), # see initContainers_.secretCopy
43 },
44 securityContext: {
45 runAsUser: 100,
46 runAsGroup: 101,
47 fsGroup: 101,
48 },
49 initContainers_: {
50 # psycopg2 / libpq wants its TLS secret keys to be only
51 # readable by running process. As k8s exposes
52 # secrets/configmaps as symlinks, libpq gets confused
53 # and refuses to start, unless we dereference these into
54 # a local copy with proper permissions.
55 secretCopy: kube.Container("secret-copy") {
56 image: cfg.image,
57 command: ["sh", "-c", "cp -fv /tls-orig/* /tls && chmod 0400 /tls/*"],
58 volumeMounts_: {
59 crdb: { mountPath: "/tls-orig" },
60 tlscopy: { mountPath: "/tls" },
61 },
62 },
63 },
64 containers_: {
65 web: kube.Container("sso") {
66 image: cfg.image,
67 ports_: {
68 http: { containerPort: 5000 },
69 },
70 env_: {
71 DATABASE_URI: "cockroachdb://%s@%s:%d/%s?sslmode=require&sslrootcert=%s&sslcert=%s&sslkey=%s" % [
72 cfg.database.username,
73 cfg.database.host,
74 cfg.database.port,
75 cfg.database.name,
76 "/tls/ca.crt",
77 "/tls/tls.crt",
78 "/tls/tls.key",
79 ],
80
radex1439fde2023-11-24 12:22:22 +0100[diff] [blame^]81 LDAP_BIND_PASSWORD: top.secretRefs.ldap_bind_password,
82 SECRET_KEY: top.secretRefs.secret_key,
Piotr Dobrowolskia13208b2022-04-30 00:31:25 +0200[diff] [blame]83 LOGGING_LEVEL: "INFO",
84
85 JWT_ALG: "RS256",
86 JWT_EXP: "600",
87
88 JWT_PUBLIC_KEYS: "/jwk/public.pem",
89 JWT_PRIVATE_KEY: "/jwk/private.pem",
Piotr Dobrowolskid6c97592020-10-10 18:26:25 +0200[diff] [blame]90 },
91 volumeMounts_: {
92 tlscopy: { mountPath: "/tls" },
Piotr Dobrowolskia13208b2022-04-30 00:31:25 +0200[diff] [blame]93 jwk: { mountPath: "/jwk" },
Piotr Dobrowolskid6c97592020-10-10 18:26:25 +0200[diff] [blame]94 },
95 },
96 },
97 },
98 },
99 },
100 },
101
radex99ed6a72023-11-24 11:42:55 +0100[diff] [blame]102 svc: ns.Contain(kube.Service("sso")) {
radexc995c212023-11-24 12:01:49 +0100[diff] [blame]103 target:: top.deployment,
Piotr Dobrowolskid6c97592020-10-10 18:26:25 +0200[diff] [blame]104 spec+: {
105 ports: [
106 { name: "http", port: 5000, targetPort: 5000, protocol: "TCP" },
107 ],
108 type: "ClusterIP",
109 },
110 },
111
radex99ed6a72023-11-24 11:42:55 +0100[diff] [blame]112 ingress: ns.Contain(kube.SimpleIngress("sso")) {
Radek Pietruszewskif5844312023-10-27 22:41:18 +0200[diff] [blame]113 hosts:: [cfg.domain],
radexc995c212023-11-24 12:01:49 +0100[diff] [blame]114 target_service:: top.svc,
Piotr Dobrowolskid6c97592020-10-10 18:26:25 +0200[diff] [blame]115 },
116}