Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 38f72fe094bc0573435801ea2e4d1d6a9dc0caf2 / . / cluster / kube / k0.libsonnet
blob: 6f2450027843798181ff0371825eb071202c32d9 [file] [log] [blame]
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]1// k0.hswaw.net kubernetes cluster
2// This defines the cluster as a single object.
3// Use the sibling k0*.jsonnet 'view' files to actually apply the configuration.
4
5local kube = import "../../kube/kube.libsonnet";
6local policies = import "../../kube/policies.libsonnet";
7
8local cluster = import "cluster.libsonnet";
9
Serge Bazanski3c5d8362021-02-06 17:27:02 +0000[diff] [blame]10local admitomatic = import "lib/admitomatic.libsonnet";
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]11local cockroachdb = import "lib/cockroachdb.libsonnet";
12local registry = import "lib/registry.libsonnet";
13local rook = import "lib/rook.libsonnet";
14
15{
16 k0: {
17 local k0 = self,
18 cluster: cluster.Cluster("k0", "hswaw.net") {
19 cfg+: {
Serge Bazanski3d294842020-08-04 01:34:07 +0200[diff] [blame]20 storageClassNameParanoid: k0.ceph.waw3Pools.blockRedundant.name,
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]21 },
22 metallb+: {
23 cfg+: {
Serge Bazanskia5ed6442020-09-20 22:52:57 +0000[diff] [blame]24 // Peer with calico running on same node.
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]25 peers: [
26 {
Serge Bazanskia5ed6442020-09-20 22:52:57 +0000[diff] [blame]27 "peer-address": "127.0.0.1",
28 "peer-asn": 65003,
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]29 "my-asn": 65002,
30 },
31 ],
Serge Bazanskia5ed6442020-09-20 22:52:57 +0000[diff] [blame]32 // Public IP address pools. Keep in sync with k0.calico.yaml.
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]33 addressPools: [
34 {
35 name: "public-v4-1",
36 protocol: "bgp",
37 addresses: [
38 "185.236.240.48/28",
39 ],
40 },
41 {
42 name: "public-v4-2",
43 protocol: "bgp",
44 addresses: [
45 "185.236.240.112/28"
46 ],
47 },
48 ],
49 },
50 },
51 },
52
53 // Docker registry
54 registry: registry.Environment {
55 cfg+: {
56 domain: "registry.%s" % [k0.cluster.fqdn],
57 storageClassName: k0.cluster.cfg.storageClassNameParanoid,
Serge Bazanski3d294842020-08-04 01:34:07 +0200[diff] [blame]58 objectStorageName: "waw-hdd-redundant-3-object",
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]59 },
60 },
61
62 // CockroachDB, running on bc01n{01,02,03}.
63 cockroach: {
64 waw2: cockroachdb.Cluster("crdb-waw1") {
65 cfg+: {
66 topology: [
67 { name: "bc01n01", node: "bc01n01.hswaw.net" },
68 { name: "bc01n02", node: "bc01n02.hswaw.net" },
Patryk Jakuszewedf14cc2021-01-23 23:00:29 +0100[diff] [blame]69 { name: "dcr01s22", node: "dcr01s22.hswaw.net" },
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]70 ],
71 // Host path on SSD.
72 hostPath: "/var/db/crdb-waw1",
Serge Bazanski509ab6e2020-07-30 22:43:20 +0200[diff] [blame]73 extraDNS: [
74 "crdb-waw1.hswaw.net",
75 ],
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]76 },
77 },
78 clients: {
79 cccampix: k0.cockroach.waw2.Client("cccampix"),
80 cccampixDev: k0.cockroach.waw2.Client("cccampix-dev"),
81 buglessDev: k0.cockroach.waw2.Client("bugless-dev"),
82 sso: k0.cockroach.waw2.Client("sso"),
Serge Bazanski509ab6e2020-07-30 22:43:20 +0200[diff] [blame]83 herpDev: k0.cockroach.waw2.Client("herp-dev"),
Patryk Jakuszewf3153882021-01-23 15:38:50 +0100[diff] [blame]84 gitea: k0.cockroach.waw2.Client("gitea"),
Piotr Dobrowolskif4a6a562021-02-01 21:32:25 +0100[diff] [blame]85 issues: k0.cockroach.waw2.Client("issues"),
Serge Bazanskibf266c62021-03-17 21:48:58 +0000[diff] [blame]86 dns: k0.cockroach.waw2.Client("dns"),
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]87 },
88 },
89
90 ceph: {
91 // waw1 cluster - dead as of 2019/08/06, data corruption
Serge Bazanski61f978a2021-01-22 16:26:07 +0100[diff] [blame]92 // waw2 cluster - dead as of 2021/01/22, torn down (horrible M610 RAID controllers are horrible)
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]93
Serge Bazanski464fb042021-09-11 20:24:27 +0000[diff] [blame]94 // waw3: 6TB SAS 3.5" HDDs, internal Rook cluster.
95 //
96 // Suffers from rook going apeshit and nuking all mons if enough of
97 // a control plane is up for rook to run but if nodes are
98 // unavailable to the point of it deciding that no mon exists and
99 // it should create some new ones, fully nuking the monmap and
100 // making recovery a pain.
101 //
102 // Supposedly new versions of Rook slowly fix these issues, but q3k
103 // doesn't personally trust this codebase anymore. He'd rather
104 // manage the actual Ceph cluster myself, we don't need all of this
105 // magic.
106 //
107 // See: b.hswaw.net/6
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]108 waw3: rook.Cluster(k0.cluster.rook, "ceph-waw3") {
109 spec: {
110 mon: {
Serge Bazanskicf842b02021-01-19 20:08:23 +0100[diff] [blame]111 count: 1,
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]112 allowMultiplePerNode: false,
113 },
Serge Bazanski793ca1b2021-03-07 00:07:19 +0000[diff] [blame]114 resources: {
115 osd: {
116 requests: {
Serge Bazanski64de7af2021-03-17 21:47:29 +0000[diff] [blame]117 cpu: "2",
118 memory: "6G",
Serge Bazanski793ca1b2021-03-07 00:07:19 +0000[diff] [blame]119 },
120 limits: {
Serge Bazanski64de7af2021-03-17 21:47:29 +0000[diff] [blame]121 cpu: "2",
122 memory: "8G",
Serge Bazanski793ca1b2021-03-07 00:07:19 +0000[diff] [blame]123 },
124 },
125
126 },
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]127 storage: {
128 useAllNodes: false,
129 useAllDevices: false,
130 config: {
131 databaseSizeMB: "1024",
132 journalSizeMB: "1024",
133 },
Serge Bazanski464fb042021-09-11 20:24:27 +0000[diff] [blame]134
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]135 nodes: [
136 {
137 name: "dcr01s22.hswaw.net",
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]138 devices: [
Serge Bazanski464fb042021-09-11 20:24:27 +0000[diff] [blame]139 { name: "/dev/disk/by-id/wwn-0x" + id }
140 for id in [
141 "5000c5008508c433",
142 "5000c500850989cf",
Serge Bazanski464fb042021-09-11 20:24:27 +0000[diff] [blame]143 "5000c5008508baf7",
144 ]
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]145 ],
146 },
147 {
148 name: "dcr01s24.hswaw.net",
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]149 devices: [
Serge Bazanski464fb042021-09-11 20:24:27 +0000[diff] [blame]150 { name: "/dev/disk/by-id/wwn-0x" + id }
151 for id in [
Serge Bazanski464fb042021-09-11 20:24:27 +0000[diff] [blame]152 "5000c5008508c9ef",
153 "5000c5008508df33",
154 "5000c5008508dd3b",
155 ]
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]156 ],
157 },
158 ],
159 },
160 benji:: {
161 metadataStorageClass: "waw-hdd-redundant-3",
162 encryptionPassword: std.split((importstr "../secrets/plain/k0-benji-encryption-password"), '\n')[0],
163 pools: [
164 "waw-hdd-redundant-3",
165 "waw-hdd-redundant-3-metadata",
166 "waw-hdd-yolo-3",
167 ],
168 s3Configuration: {
169 awsAccessKeyId: "RPYZIROFXNLQVU2WJ4R3",
170 awsSecretAccessKey: std.split((importstr "../secrets/plain/k0-benji-secret-access-key"), '\n')[0],
171 bucketName: "benji-k0-backups-waw3",
172 endpointUrl: "https://s3.eu-central-1.wasabisys.com/",
173 },
174 }
175 },
176 },
177 waw3Pools: {
178 // redundant block storage
179 blockRedundant: rook.ECBlockPool(k0.ceph.waw3, "waw-hdd-redundant-3") {
180 metadataReplicas: 2,
181 spec: {
182 failureDomain: "host",
183 replicated: {
184 size: 2,
185 },
186 },
187 },
188 // yolo block storage (low usage, no host redundancy)
189 blockYolo: rook.ReplicatedBlockPool(k0.ceph.waw3, "waw-hdd-yolo-3") {
190 spec: {
191 failureDomain: "osd",
192 erasureCoded: {
Serge Bazanskicf842b02021-01-19 20:08:23 +0100[diff] [blame]193 dataChunks: 2,
194 codingChunks: 1,
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]195 },
196 },
197 },
Serge Bazanski242ec582020-09-20 15:36:11 +0000[diff] [blame]198 // q3k's personal pool, used externally from k8s.
199 q3kRedundant: rook.ECBlockPool(k0.ceph.waw3, "waw-hdd-redundant-q3k-3") {
200 metadataReplicas: 2,
201 spec: {
202 failureDomain: "host",
203 replicated: {
204 size: 2,
205 },
206 },
207 },
Serge Bazanski38f72fe2021-09-13 23:43:47 +0000[diff] [blame^]208
209 object: {
210 local poolSpec = {
211 failureDomain: "host",
212 replicated: { size: 2 },
213 },
214
215 realm: rook.S3ObjectRealm(k0.ceph.waw3, "hscloud"),
216 zonegroup: rook.S3ObjectZoneGroup(self.realm, "eu"),
217 // This is serving at object.ceph-waw3.hswaw.net, but
218 // internally to Ceph it is known as
219 // waw-hdd-redundant-3-object (name of radosgw zone).
220 store: rook.S3ObjectStore(self.zonegroup, "waw-hdd-redundant-3-object") {
221 cfg+: {
222 // Override so that this radosgw serves on
223 // object.ceph-{waw3,eu}.hswaw.net instead of
224 // ceph-{waw-hdd-redundant-3-object,eu}.
225 domainParts: [
226 "waw3", "eu",
227 ],
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]228 },
Serge Bazanski38f72fe2021-09-13 23:43:47 +0000[diff] [blame^]229 spec: {
230 metadataPool: poolSpec,
231 dataPool: poolSpec,
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]232 },
233 },
234 },
235 },
236
237 // Clients for S3/radosgw storage.
238 clients: {
239 # Used for owncloud.hackerspace.pl, which for now lives on boston-packets.hackerspace.pl.
240 nextcloudWaw3: kube.CephObjectStoreUser("nextcloud") {
241 metadata+: {
242 namespace: "ceph-waw3",
243 },
244 spec: {
245 store: "waw-hdd-redundant-3-object",
246 displayName: "nextcloud",
247 },
248 },
Piotr Dobrowolski3b8a43f2021-02-01 21:19:48 +0100[diff] [blame]249 # issues.hackerspace.pl (redmine) attachments bucket
250 issuesWaw3: kube.CephObjectStoreUser("issues") {
251 metadata+: {
252 namespace: "ceph-waw3",
253 },
254 spec: {
255 store: "waw-hdd-redundant-3-object",
256 displayName: "issues",
257 },
258 },
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]259
260 # nuke@hackerspace.pl's personal storage.
261 nukePersonalWaw3: kube.CephObjectStoreUser("nuke-personal") {
262 metadata+: {
263 namespace: "ceph-waw3",
264 },
265 spec: {
266 store: "waw-hdd-redundant-3-object",
267 displayName: "nuke-personal",
268 },
269 },
270
271 # patryk@hackerspace.pl's ArmA3 mod bucket.
272 cz2ArmaModsWaw3: kube.CephObjectStoreUser("cz2-arma3mods") {
273 metadata+: {
274 namespace: "ceph-waw3",
275 },
276 spec: {
277 store: "waw-hdd-redundant-3-object",
278 displayName: "cz2-arma3mods",
279 },
280 },
Bartosz Stebeld9df5872020-06-13 21:19:40 +0200[diff] [blame]281 # Buckets for spark pipelines
282 # TODO(implr): consider a second yolo-backed one for temp data
283 implrSparkWaw3: kube.CephObjectStoreUser("implr-spark") {
284 metadata+: {
285 namespace: "ceph-waw3",
286 },
287 spec: {
288 store: "waw-hdd-redundant-3-object",
289 displayName: "implr-spark",
290 },
291 },
Sergiusz Bazanskib1aadd82020-06-24 19:06:17 +0200[diff] [blame]292 # q3k's personal user
293 q3kWaw3: kube.CephObjectStoreUser("q3k") {
294 metadata+: {
295 namespace: "ceph-waw3",
296 },
297 spec: {
298 store: "waw-hdd-redundant-3-object",
299 displayName: "q3k",
300 },
301 },
Serge Bazanskibfe9bb02020-10-27 20:50:50 +0100[diff] [blame]302 # woju's personal user
303 wojuWaw3: kube.CephObjectStoreUser("woju") {
304 metadata+: {
305 namespace: "ceph-waw3",
306 },
307 spec: {
308 store: "waw-hdd-redundant-3-object",
309 displayName: "woju",
310 },
Patryk Jakuszewcae7cf72020-11-28 14:36:48 +0100[diff] [blame]311 },
Patryk Jakuszew34668a52020-11-28 13:45:25 +0100[diff] [blame]312 # cz3's (patryk@hackerspace.pl) personal user
313 cz3Waw3: kube.CephObjectStoreUser("cz3") {
314 metadata+: {
315 namespace: "ceph-waw3",
316 },
317 spec: {
318 store: "waw-hdd-redundant-3-object",
319 displayName: "cz3",
320 },
Serge Bazanskibfe9bb02020-10-27 20:50:50 +0100[diff] [blame]321 },
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]322 },
323 },
324
325
326 # These are policies allowing for Insecure pods in some namespaces.
327 # A lot of them are spurious and come from the fact that we deployed
328 # these namespaces before we deployed the draconian PodSecurityPolicy
329 # we have now. This should be fixed by setting up some more granular
330 # policies, or fixing the workloads to not need some of the permission
331 # bits they use, whatever those might be.
332 # TODO(q3k): fix this?
333 unnecessarilyInsecureNamespaces: [
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]334 policies.AllowNamespaceInsecure("ceph-waw3"),
335 policies.AllowNamespaceInsecure("matrix"),
336 policies.AllowNamespaceInsecure("registry"),
337 policies.AllowNamespaceInsecure("internet"),
338 # TODO(implr): restricted policy with CAP_NET_ADMIN and tuntap, but no full root
339 policies.AllowNamespaceInsecure("implr-vpn"),
340 ],
Serge Bazanski3c5d8362021-02-06 17:27:02 +0000[diff] [blame]341
342 # Admission controller that permits non-privileged users to manage
343 # their namespaces without danger of hijacking important URLs.
344 admitomatic: admitomatic.Environment {
345 cfg+: {
346 proto: {
347 // Domains allowed in given namespaces. If a domain exists
348 // anywhere, ingresses will only be permitted to be created
349 // within namespaces in which it appears here. This works
350 // the same way for wildcards, if a wildcard exists in this
351 // list it blocks all unauthorized uses of that domain
352 // elsewhere.
353 //
354 // See //cluster/admitomatic for more information.
355 //
356 // Or, tl;dr:
357 //
358 // If you do a wildcard CNAME onto the k0 ingress, you
359 // should explicitly state *.your.name.com here.
360 //
361 // If you just want to protect your host from being
362 // hijacked by other cluster users, you should also state
363 // it here (either as a wildcard, or unary domains).
364 allow_domain: [
365 { namespace: "covid-formity", dns: "covid19.hackerspace.pl" },
366 { namespace: "covid-formity", dns: "covid.hackerspace.pl" },
367 { namespace: "covid-formity", dns: "www.covid.hackerspace.pl" },
368 { namespace: "devtools-prod", dns: "hackdoc.hackerspace.pl" },
369 { namespace: "devtools-prod", dns: "cs.hackerspace.pl" },
370 { namespace: "engelsystem-prod", dns: "engelsystem.hackerspace.pl" },
371 { namespace: "gerrit", dns: "gerrit.hackerspace.pl" },
372 { namespace: "gitea-prod", dns: "gitea.hackerspace.pl" },
373 { namespace: "hswaw-prod", dns: "*.hackerspace.pl" },
Serge Bazanski99b91b12021-03-28 17:34:32 +0000[diff] [blame]374 { namespace: "hswaw-prod", dns: "*.hswaw.net" },
Serge Bazanski3c5d8362021-02-06 17:27:02 +0000[diff] [blame]375 { namespace: "internet", dns: "internet.hackerspace.pl" },
376 { namespace: "matrix", dns: "matrix.hackerspace.pl" },
377 { namespace: "onlyoffice-prod", dns: "office.hackerspace.pl" },
378 { namespace: "redmine", dns: "issues.hackerspace.pl" },
Serge Bazanski877cf0a2021-02-08 00:34:34 +0100[diff] [blame]379 { namespace: "redmine", dns: "b.hackerspace.pl" },
380 { namespace: "redmine", dns: "b.hswaw.net" },
381 { namespace: "redmine", dns: "xn--137h.hackerspace.pl" },
382 { namespace: "redmine", dns: "xn--137h.hswaw.net" },
Serge Bazanski3c5d8362021-02-06 17:27:02 +0000[diff] [blame]383 { namespace: "speedtest", dns: "speedtest.hackerspace.pl" },
384 { namespace: "sso", dns: "sso.hackerspace.pl" },
385
386 { namespace: "ceph-waw3", dns: "ceph-waw3.hswaw.net" },
387 { namespace: "ceph-waw3", dns: "object.ceph-waw3.hswaw.net" },
Serge Bazanski38f72fe2021-09-13 23:43:47 +0000[diff] [blame^]388 { namespace: "ceph-waw3", dns: "object.ceph-eu.hswaw.net" },
Serge Bazanski3c5d8362021-02-06 17:27:02 +0000[diff] [blame]389 { namespace: "monitoring-global-k0", dns: "*.hswaw.net" },
390 { namespace: "registry", dns: "*.hswaw.net" },
391
392 // q3k's legacy namespace (pre-prodvider)
393 { namespace: "q3k", dns: "*.q3k.org" },
394 { namespace: "personal-q3k", dns: "*.q3k.org" },
395 ],
396 },
397 },
398 },
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]399 },
400}