Blame - ops/sso/kube/sso.libsonnet - hscloud

blob: 078c3964fe5abfcceae32798c688fa4ee9fbcdd9 [file] [log] [blame]

Piotr Dobrowolski	d6c9759	2020-10-10 18:26:25 +0200	[diff] [blame]	1	# kubectl create secret generic sso --from-literal=secret_key=$(pwgen 24 1) --from-literal=ldap_bind_password=...
				2
Serge Bazanski	9e3ca9c	2021-01-31 15:51:38 +0100	[diff] [blame]	3	local kube = import "../../../kube/kube.libsonnet";
Piotr Dobrowolski	d6c9759	2020-10-10 18:26:25 +0200	[diff] [blame]	4
				5	{
				6	local app = self,
				7	local cfg = app.cfg,
				8
				9	cfg:: {
				10	namespace: "sso",
Piotr Dobrowolski	7f8f3e9	2021-02-01 17:01:12 +0100	[diff] [blame]	11	image: "registry.k0.hswaw.net/informatic/sso-v2@sha256:3b277a8e2b3c3225d7da10aee37774266f9eb2aa536e7a390160f550b3556087",
Piotr Dobrowolski	d6c9759	2020-10-10 18:26:25 +0200	[diff] [blame]	12	domain: error "domain must be set",
				13	database: {
				14	host: error "database.host must be set",
				15	name: error "database.name must be set",
				16	username: error "database.username must be set",
				17	port: 26257,
				18	tlsSecret: error "database.tlsSecret must be set",
				19	},
				20	},
				21
				22	ns: kube.Namespace(app.cfg.namespace),
				23
				24	deployment: app.ns.Contain(kube.Deployment("sso")) {
				25	spec+: {
				26	replicas: 1,
				27	template+: {
				28	spec+: {
				29	volumes_: {
				30	crdb: {
				31	secret: {
				32	secretName: cfg.database.tlsSecret,
				33	defaultMode: std.parseOctal("0600"),
				34	},
				35	},
				36	tlscopy: kube.EmptyDirVolume(), # see initContainers_.secretCopy
				37	},
				38	securityContext: {
				39	runAsUser: 100,
				40	runAsGroup: 101,
				41	fsGroup: 101,
				42	},
				43	initContainers_: {
				44	# psycopg2 / libpq wants its TLS secret keys to be only
				45	# readable by running process. As k8s exposes
				46	# secrets/configmaps as symlinks, libpq gets confused
				47	# and refuses to start, unless we dereference these into
				48	# a local copy with proper permissions.
				49	secretCopy: kube.Container("secret-copy") {
				50	image: cfg.image,
				51	command: ["sh", "-c", "cp -fv /tls-orig/* /tls && chmod 0400 /tls/*"],
				52	volumeMounts_: {
				53	crdb: { mountPath: "/tls-orig" },
				54	tlscopy: { mountPath: "/tls" },
				55	},
				56	},
				57	},
				58	containers_: {
				59	web: kube.Container("sso") {
				60	image: cfg.image,
				61	ports_: {
				62	http: { containerPort: 5000 },
				63	},
				64	env_: {
				65	DATABASE_URI: "cockroachdb://%s@%s:%d/%s?sslmode=require&sslrootcert=%s&sslcert=%s&sslkey=%s" % [
				66	cfg.database.username,
				67	cfg.database.host,
				68	cfg.database.port,
				69	cfg.database.name,
				70	"/tls/ca.crt",
				71	"/tls/tls.crt",
				72	"/tls/tls.key",
				73	],
				74
				75	LDAP_BIND_PASSWORD: { secretKeyRef: { name: "sso", key: "ldap_bind_password" } },
				76	SECRET_KEY: { secretKeyRef: { name: "sso", key: "secret_key" } },
				77	LOGGING_LEVEL: "DEBUG",
				78	},
				79	volumeMounts_: {
				80	tlscopy: { mountPath: "/tls" },
				81	},
				82	},
				83	},
				84	},
				85	},
				86	},
				87	},
				88
				89	svc: app.ns.Contain(kube.Service("sso")) {
				90	target_pod:: app.deployment.spec.template,
				91	spec+: {
				92	ports: [
				93	{ name: "http", port: 5000, targetPort: 5000, protocol: "TCP" },
				94	],
				95	type: "ClusterIP",
				96	},
				97	},
				98
				99	ingress: app.ns.Contain(kube.Ingress("sso")) {
				100	metadata+: {
				101	annotations+: {
				102	"kubernetes.io/tls-acme": "true",
				103	"certmanager.k8s.io/cluster-issuer": "letsencrypt-prod",
				104	"nginx.ingress.kubernetes.io/proxy-body-size": "0",
				105	},
				106	},
				107	spec+: {
				108	tls: [
				109	{
				110	hosts: [cfg.domain],
				111	secretName: "sso-tls",
				112	},
				113	],
				114	rules: [
				115	{
				116	host: cfg.domain,
				117	http: {
				118	paths: [
				119	{ path: "/", backend: app.svc.name_port },
				120	]
				121	},
				122	}
				123	],
				124	},
				125	},
				126	}