Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 224a50bbfec2e865e53621cbd757af2740ae32ac / . / cluster / kube / cluster.jsonnet
blob: ee21b04532bc87418051f16590c0e73c416772b9 [file] [log] [blame]
Sergiusz Bazanski4d9e72c2019-01-13 22:06:33 +0100[diff] [blame]1# Top level cluster configuration.
2
3local kube = import "../../kube/kube.libsonnet";
Sergiusz Bazanski49b9a132019-01-14 00:02:59 +0100[diff] [blame]4local coredns = import "lib/coredns.libsonnet";
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]5local metrics = import "lib/metrics.libsonnet";
6local calico = import "lib/calico.libsonnet";
Sergiusz Bazanski1e565dc2019-01-18 09:40:59 +0100[diff] [blame]7local metallb = import "lib/metallb.libsonnet";
Sergiusz Bazanskia9c7e862019-04-01 17:56:28 +0200[diff] [blame]8local nginx = import "lib/nginx.libsonnet";
Sergiusz Bazanskib7fcc672019-04-01 18:40:50 +0200[diff] [blame]9local rook = import "lib/rook.libsonnet";
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]10local certmanager = import "lib/cert-manager.libsonnet";
Sergiusz Bazanski4d9e72c2019-01-13 22:06:33 +0100[diff] [blame]11
12local Cluster(fqdn) = {
13 local cluster = self,
14
15 // These are required to let the API Server contact kubelets.
16 crAPIServerToKubelet: kube.ClusterRole("system:kube-apiserver-to-kubelet") {
17 metadata+: {
18 annotations+: {
19 "rbac.authorization.kubernetes.io/autoupdate": "true",
20 },
21 labels+: {
22 "kubernets.io/bootstrapping": "rbac-defaults",
23 },
24 },
25 rules: [
26 {
27 apiGroups: [""],
28 resources: ["nodes/%s" % r for r in [ "proxy", "stats", "log", "spec", "metrics" ]],
29 verbs: ["*"],
30 },
31 ],
32 },
Sergiusz Bazanski5bebbeb2019-01-13 22:08:05 +0100[diff] [blame]33 crbAPIServer: kube.ClusterRoleBinding("system:kube-apiserver") {
Sergiusz Bazanski4d9e72c2019-01-13 22:06:33 +0100[diff] [blame]34 roleRef: {
35 apiGroup: "rbac.authorization.k8s.io",
36 kind: "ClusterRole",
37 name: cluster.crAPIServerToKubelet.metadata.name,
38 },
39 subjects: [
40 {
41 apiGroup: "rbac.authorization.k8s.io",
42 kind: "User",
43 # A cluster API Server authenticates with a certificate whose CN is == to the FQDN of the cluster.
44 name: fqdn,
45 },
46 ],
Sergiusz Bazanski49b9a132019-01-14 00:02:59 +0100[diff] [blame]47 },
48
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]49 // Calico network fabric
50 calico: calico.Environment {},
Sergiusz Bazanski49b9a132019-01-14 00:02:59 +0100[diff] [blame]51 // CoreDNS for this cluster.
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]52 dns: coredns.Environment {},
53 // Metrics Server
54 metrics: metrics.Environment {},
Sergiusz Bazanski1e565dc2019-01-18 09:40:59 +0100[diff] [blame]55 // Metal Load Balancer
Sergiusz Bazanski14cbacb2019-04-01 18:00:44 +0200[diff] [blame]56 metallb: metallb.Environment {
57 cfg+: {
58 addressPools: [
59 { name: "public-v4-1", protocol: "layer2", addresses: ["185.236.240.50-185.236.240.63"] },
60 ],
61 },
62 },
Sergiusz Bazanskia9c7e862019-04-01 17:56:28 +0200[diff] [blame]63 // Main nginx Ingress Controller
64 nginx: nginx.Environment {},
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]65 certmanager: certmanager.Environment {},
Piotr Dobrowolski3187c592019-04-02 14:44:04 +0200[diff] [blame]66 issuer: certmanager.ClusterIssuer("letsencrypt-prod") {
67 spec: {
68 acme: {
69 server: "https://acme-v02.api.letsencrypt.org/directory",
70 email: "bofh@hackerspace.pl",
71 privateKeySecretRef: {
72 name: "letsencrypt-prod"
73 },
74 http01: {},
75 },
76 },
77 },
Sergiusz Bazanskic6da1272019-04-02 00:06:13 +0200[diff] [blame]78
Sergiusz Bazanskib7fcc672019-04-01 18:40:50 +0200[diff] [blame]79 // Rook Ceph storage
Sergiusz Bazanskic3b0f762019-06-20 16:42:19 +0200[diff] [blame]80 rook: rook.Operator {
81 operator+: {
82 spec+: {
83 // TODO(q3k): Bring up the operator again when stability gets fixed
84 // See: https://github.com/rook/rook/issues/3059#issuecomment-492378873
85 replicas: 0,
86 },
87 },
88 },
Sergiusz Bazanskic6da1272019-04-02 00:06:13 +0200[diff] [blame]89 // waw1 ceph cluster
90 cephWaw1: rook.Cluster(cluster.rook, "ceph-waw1") {
91 spec: {
92 mon: {
93 count: 3,
94 allowMultiplePerNode: false,
95 },
96 storage: {
97 useAllNodes: false,
98 useAllDevices: false,
99 config: {
100 databaseSizeMB: "1024",
101 journalSizeMB: "1024",
102 },
103 nodes: [
104 {
105 name: "bc01n01.hswaw.net",
106 location: "rack=dcr01 chassis=bc01 host=bc01n01",
107 devices: [ { name: "sda" } ],
108 },
109 {
110 name: "bc01n02.hswaw.net",
111 location: "rack=dcr01 chassis=bc01 host=bc01n02",
112 devices: [ { name: "sda" } ],
113 },
114 {
115 name: "bc01n03.hswaw.net",
116 location: "rack=dcr01 chassis=bc01 host=bc01n03",
117 devices: [ { name: "sda" } ],
118 },
119 ],
120 },
121 },
122 },
Sergiusz Bazanski65f3b1d2019-04-02 01:05:38 +0200[diff] [blame]123 // redundant block storage
124 cephWaw1Redundant: rook.ECBlockPool(cluster.cephWaw1, "waw-hdd-redundant-1") {
125 spec: {
126 failureDomain: "host",
127 erasureCoded: {
128 dataChunks: 2,
129 codingChunks: 1,
130 },
131 },
132 },
Sergiusz Bazanski36cc4fb2019-05-17 18:08:48 +0200[diff] [blame]133 // yolo block storage (no replicas!)
134 cephWaw1Yolo: rook.ReplicatedBlockPool(cluster.cephWaw1, "waw-hdd-yolo-1") {
135 spec: {
136 failureDomain: "host",
137 replicated: {
138 size: 1,
139 },
140 },
141 },
Piotr Dobrowolski5ac85c62019-04-09 21:45:32 +0200[diff] [blame]142 cephWaw1Object: rook.S3ObjectStore(cluster.cephWaw1, "waw-hdd-redundant-1-object") {
Piotr Dobrowolski6da3b282019-04-07 18:49:41 +0200[diff] [blame]143 spec: {
144 metadataPool: {
145 failureDomain: "host",
146 replicated: { size: 3 },
147 },
148 dataPool: {
149 failureDomain: "host",
150 erasureCoded: {
151 dataChunks: 2,
152 codingChunks: 1,
153 },
154 },
Piotr Dobrowolski6da3b282019-04-07 18:49:41 +0200[diff] [blame]155 },
156 },
Sergiusz Bazanski4d9e72c2019-01-13 22:06:33 +0100[diff] [blame]157};
158
Sergiusz Bazanski49b9a132019-01-14 00:02:59 +0100[diff] [blame]159
Sergiusz Bazanski4d9e72c2019-01-13 22:06:33 +0100[diff] [blame]160{
161 k0: Cluster("k0.hswaw.net"),
162}