Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 3c5d836c56fbbb52ec0bb28dad0a6327602bdf03 / . / cluster / kube / k0.libsonnet
blob: b5feb05f4aa77dcf5a64a21664f1bf6323cb3054 [file] [log] [blame]
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]1// k0.hswaw.net kubernetes cluster
2// This defines the cluster as a single object.
3// Use the sibling k0*.jsonnet 'view' files to actually apply the configuration.
4
5local kube = import "../../kube/kube.libsonnet";
6local policies = import "../../kube/policies.libsonnet";
7
8local cluster = import "cluster.libsonnet";
9
Serge Bazanski3c5d8362021-02-06 17:27:02 +0000[diff] [blame^]10local admitomatic = import "lib/admitomatic.libsonnet";
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]11local cockroachdb = import "lib/cockroachdb.libsonnet";
12local registry = import "lib/registry.libsonnet";
13local rook = import "lib/rook.libsonnet";
14
15{
16 k0: {
17 local k0 = self,
18 cluster: cluster.Cluster("k0", "hswaw.net") {
19 cfg+: {
Serge Bazanski3d294842020-08-04 01:34:07 +0200[diff] [blame]20 storageClassNameParanoid: k0.ceph.waw3Pools.blockRedundant.name,
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]21 },
22 metallb+: {
23 cfg+: {
Serge Bazanskia5ed6442020-09-20 22:52:57 +0000[diff] [blame]24 // Peer with calico running on same node.
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]25 peers: [
26 {
Serge Bazanskia5ed6442020-09-20 22:52:57 +0000[diff] [blame]27 "peer-address": "127.0.0.1",
28 "peer-asn": 65003,
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]29 "my-asn": 65002,
30 },
31 ],
Serge Bazanskia5ed6442020-09-20 22:52:57 +0000[diff] [blame]32 // Public IP address pools. Keep in sync with k0.calico.yaml.
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]33 addressPools: [
34 {
35 name: "public-v4-1",
36 protocol: "bgp",
37 addresses: [
38 "185.236.240.48/28",
39 ],
40 },
41 {
42 name: "public-v4-2",
43 protocol: "bgp",
44 addresses: [
45 "185.236.240.112/28"
46 ],
47 },
48 ],
49 },
50 },
51 },
52
53 // Docker registry
54 registry: registry.Environment {
55 cfg+: {
56 domain: "registry.%s" % [k0.cluster.fqdn],
57 storageClassName: k0.cluster.cfg.storageClassNameParanoid,
Serge Bazanski3d294842020-08-04 01:34:07 +0200[diff] [blame]58 objectStorageName: "waw-hdd-redundant-3-object",
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]59 },
60 },
61
62 // CockroachDB, running on bc01n{01,02,03}.
63 cockroach: {
64 waw2: cockroachdb.Cluster("crdb-waw1") {
65 cfg+: {
66 topology: [
67 { name: "bc01n01", node: "bc01n01.hswaw.net" },
68 { name: "bc01n02", node: "bc01n02.hswaw.net" },
Patryk Jakuszewedf14cc2021-01-23 23:00:29 +0100[diff] [blame]69 { name: "dcr01s22", node: "dcr01s22.hswaw.net" },
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]70 ],
71 // Host path on SSD.
72 hostPath: "/var/db/crdb-waw1",
Serge Bazanski509ab6e2020-07-30 22:43:20 +0200[diff] [blame]73 extraDNS: [
74 "crdb-waw1.hswaw.net",
75 ],
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]76 },
77 },
78 clients: {
79 cccampix: k0.cockroach.waw2.Client("cccampix"),
80 cccampixDev: k0.cockroach.waw2.Client("cccampix-dev"),
81 buglessDev: k0.cockroach.waw2.Client("bugless-dev"),
82 sso: k0.cockroach.waw2.Client("sso"),
Serge Bazanski509ab6e2020-07-30 22:43:20 +0200[diff] [blame]83 herpDev: k0.cockroach.waw2.Client("herp-dev"),
Patryk Jakuszewf3153882021-01-23 15:38:50 +0100[diff] [blame]84 gitea: k0.cockroach.waw2.Client("gitea"),
Piotr Dobrowolskif4a6a562021-02-01 21:32:25 +0100[diff] [blame]85 issues: k0.cockroach.waw2.Client("issues"),
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]86 },
87 },
88
89 ceph: {
90 // waw1 cluster - dead as of 2019/08/06, data corruption
Serge Bazanski61f978a2021-01-22 16:26:07 +0100[diff] [blame]91 // waw2 cluster - dead as of 2021/01/22, torn down (horrible M610 RAID controllers are horrible)
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]92
93 // waw3: 6TB SAS 3.5" HDDs
94 waw3: rook.Cluster(k0.cluster.rook, "ceph-waw3") {
95 spec: {
96 mon: {
Serge Bazanskicf842b02021-01-19 20:08:23 +0100[diff] [blame]97 count: 1,
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]98 allowMultiplePerNode: false,
99 },
100 storage: {
101 useAllNodes: false,
102 useAllDevices: false,
103 config: {
104 databaseSizeMB: "1024",
105 journalSizeMB: "1024",
106 },
107 nodes: [
108 {
109 name: "dcr01s22.hswaw.net",
110 location: "rack=dcr01 host=dcr01s22",
111 devices: [
112 // https://github.com/rook/rook/issues/1228
113 //{ name: "disk/by-id/wwan-0x" + wwan }
114 //for wwan in [
115 // "5000c5008508c433",
116 // "5000c500850989cf",
117 // "5000c5008508f843",
118 // "5000c5008508baf7",
119 //]
120 { name: "sdn" },
121 { name: "sda" },
122 { name: "sdb" },
123 { name: "sdc" },
124 ],
125 },
126 {
127 name: "dcr01s24.hswaw.net",
128 location: "rack=dcr01 host=dcr01s22",
129 devices: [
130 // https://github.com/rook/rook/issues/1228
131 //{ name: "disk/by-id/wwan-0x" + wwan }
132 //for wwan in [
133 // "5000c5008508ee03",
134 // "5000c5008508c9ef",
135 // "5000c5008508df33",
136 // "5000c5008508dd3b",
137 //]
138 { name: "sdm" },
139 { name: "sda" },
140 { name: "sdb" },
141 { name: "sdc" },
142 ],
143 },
144 ],
145 },
146 benji:: {
147 metadataStorageClass: "waw-hdd-redundant-3",
148 encryptionPassword: std.split((importstr "../secrets/plain/k0-benji-encryption-password"), '\n')[0],
149 pools: [
150 "waw-hdd-redundant-3",
151 "waw-hdd-redundant-3-metadata",
152 "waw-hdd-yolo-3",
153 ],
154 s3Configuration: {
155 awsAccessKeyId: "RPYZIROFXNLQVU2WJ4R3",
156 awsSecretAccessKey: std.split((importstr "../secrets/plain/k0-benji-secret-access-key"), '\n')[0],
157 bucketName: "benji-k0-backups-waw3",
158 endpointUrl: "https://s3.eu-central-1.wasabisys.com/",
159 },
160 }
161 },
162 },
163 waw3Pools: {
164 // redundant block storage
165 blockRedundant: rook.ECBlockPool(k0.ceph.waw3, "waw-hdd-redundant-3") {
166 metadataReplicas: 2,
167 spec: {
168 failureDomain: "host",
169 replicated: {
170 size: 2,
171 },
172 },
173 },
174 // yolo block storage (low usage, no host redundancy)
175 blockYolo: rook.ReplicatedBlockPool(k0.ceph.waw3, "waw-hdd-yolo-3") {
176 spec: {
177 failureDomain: "osd",
178 erasureCoded: {
Serge Bazanskicf842b02021-01-19 20:08:23 +0100[diff] [blame]179 dataChunks: 2,
180 codingChunks: 1,
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]181 },
182 },
183 },
Serge Bazanski242ec582020-09-20 15:36:11 +0000[diff] [blame]184 // q3k's personal pool, used externally from k8s.
185 q3kRedundant: rook.ECBlockPool(k0.ceph.waw3, "waw-hdd-redundant-q3k-3") {
186 metadataReplicas: 2,
187 spec: {
188 failureDomain: "host",
189 replicated: {
190 size: 2,
191 },
192 },
193 },
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]194 objectRedundant: rook.S3ObjectStore(k0.ceph.waw3, "waw-hdd-redundant-3-object") {
195 spec: {
196 metadataPool: {
197 failureDomain: "host",
198 replicated: { size: 2 },
199 },
200 dataPool: {
201 failureDomain: "host",
202 replicated: { size: 2 },
203 },
204 },
205 },
206 },
207
208 // Clients for S3/radosgw storage.
209 clients: {
210 # Used for owncloud.hackerspace.pl, which for now lives on boston-packets.hackerspace.pl.
211 nextcloudWaw3: kube.CephObjectStoreUser("nextcloud") {
212 metadata+: {
213 namespace: "ceph-waw3",
214 },
215 spec: {
216 store: "waw-hdd-redundant-3-object",
217 displayName: "nextcloud",
218 },
219 },
Piotr Dobrowolski3b8a43f2021-02-01 21:19:48 +0100[diff] [blame]220 # issues.hackerspace.pl (redmine) attachments bucket
221 issuesWaw3: kube.CephObjectStoreUser("issues") {
222 metadata+: {
223 namespace: "ceph-waw3",
224 },
225 spec: {
226 store: "waw-hdd-redundant-3-object",
227 displayName: "issues",
228 },
229 },
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]230
231 # nuke@hackerspace.pl's personal storage.
232 nukePersonalWaw3: kube.CephObjectStoreUser("nuke-personal") {
233 metadata+: {
234 namespace: "ceph-waw3",
235 },
236 spec: {
237 store: "waw-hdd-redundant-3-object",
238 displayName: "nuke-personal",
239 },
240 },
241
242 # patryk@hackerspace.pl's ArmA3 mod bucket.
243 cz2ArmaModsWaw3: kube.CephObjectStoreUser("cz2-arma3mods") {
244 metadata+: {
245 namespace: "ceph-waw3",
246 },
247 spec: {
248 store: "waw-hdd-redundant-3-object",
249 displayName: "cz2-arma3mods",
250 },
251 },
Bartosz Stebeld9df5872020-06-13 21:19:40 +0200[diff] [blame]252 # Buckets for spark pipelines
253 # TODO(implr): consider a second yolo-backed one for temp data
254 implrSparkWaw3: kube.CephObjectStoreUser("implr-spark") {
255 metadata+: {
256 namespace: "ceph-waw3",
257 },
258 spec: {
259 store: "waw-hdd-redundant-3-object",
260 displayName: "implr-spark",
261 },
262 },
Sergiusz Bazanskib1aadd82020-06-24 19:06:17 +0200[diff] [blame]263 # q3k's personal user
264 q3kWaw3: kube.CephObjectStoreUser("q3k") {
265 metadata+: {
266 namespace: "ceph-waw3",
267 },
268 spec: {
269 store: "waw-hdd-redundant-3-object",
270 displayName: "q3k",
271 },
272 },
Serge Bazanskibfe9bb02020-10-27 20:50:50 +0100[diff] [blame]273 # woju's personal user
274 wojuWaw3: kube.CephObjectStoreUser("woju") {
275 metadata+: {
276 namespace: "ceph-waw3",
277 },
278 spec: {
279 store: "waw-hdd-redundant-3-object",
280 displayName: "woju",
281 },
Patryk Jakuszewcae7cf72020-11-28 14:36:48 +0100[diff] [blame]282 },
Patryk Jakuszew34668a52020-11-28 13:45:25 +0100[diff] [blame]283 # cz3's (patryk@hackerspace.pl) personal user
284 cz3Waw3: kube.CephObjectStoreUser("cz3") {
285 metadata+: {
286 namespace: "ceph-waw3",
287 },
288 spec: {
289 store: "waw-hdd-redundant-3-object",
290 displayName: "cz3",
291 },
Serge Bazanskibfe9bb02020-10-27 20:50:50 +0100[diff] [blame]292 },
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]293 },
294 },
295
296
297 # These are policies allowing for Insecure pods in some namespaces.
298 # A lot of them are spurious and come from the fact that we deployed
299 # these namespaces before we deployed the draconian PodSecurityPolicy
300 # we have now. This should be fixed by setting up some more granular
301 # policies, or fixing the workloads to not need some of the permission
302 # bits they use, whatever those might be.
303 # TODO(q3k): fix this?
304 unnecessarilyInsecureNamespaces: [
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]305 policies.AllowNamespaceInsecure("ceph-waw3"),
306 policies.AllowNamespaceInsecure("matrix"),
307 policies.AllowNamespaceInsecure("registry"),
308 policies.AllowNamespaceInsecure("internet"),
309 # TODO(implr): restricted policy with CAP_NET_ADMIN and tuntap, but no full root
310 policies.AllowNamespaceInsecure("implr-vpn"),
311 ],
Serge Bazanski3c5d8362021-02-06 17:27:02 +0000[diff] [blame^]312
313 # Admission controller that permits non-privileged users to manage
314 # their namespaces without danger of hijacking important URLs.
315 admitomatic: admitomatic.Environment {
316 cfg+: {
317 proto: {
318 // Domains allowed in given namespaces. If a domain exists
319 // anywhere, ingresses will only be permitted to be created
320 // within namespaces in which it appears here. This works
321 // the same way for wildcards, if a wildcard exists in this
322 // list it blocks all unauthorized uses of that domain
323 // elsewhere.
324 //
325 // See //cluster/admitomatic for more information.
326 //
327 // Or, tl;dr:
328 //
329 // If you do a wildcard CNAME onto the k0 ingress, you
330 // should explicitly state *.your.name.com here.
331 //
332 // If you just want to protect your host from being
333 // hijacked by other cluster users, you should also state
334 // it here (either as a wildcard, or unary domains).
335 allow_domain: [
336 { namespace: "covid-formity", dns: "covid19.hackerspace.pl" },
337 { namespace: "covid-formity", dns: "covid.hackerspace.pl" },
338 { namespace: "covid-formity", dns: "www.covid.hackerspace.pl" },
339 { namespace: "devtools-prod", dns: "hackdoc.hackerspace.pl" },
340 { namespace: "devtools-prod", dns: "cs.hackerspace.pl" },
341 { namespace: "engelsystem-prod", dns: "engelsystem.hackerspace.pl" },
342 { namespace: "gerrit", dns: "gerrit.hackerspace.pl" },
343 { namespace: "gitea-prod", dns: "gitea.hackerspace.pl" },
344 { namespace: "hswaw-prod", dns: "*.hackerspace.pl" },
345 { namespace: "internet", dns: "internet.hackerspace.pl" },
346 { namespace: "matrix", dns: "matrix.hackerspace.pl" },
347 { namespace: "onlyoffice-prod", dns: "office.hackerspace.pl" },
348 { namespace: "redmine", dns: "issues.hackerspace.pl" },
349 { namespace: "speedtest", dns: "speedtest.hackerspace.pl" },
350 { namespace: "sso", dns: "sso.hackerspace.pl" },
351
352 { namespace: "ceph-waw3", dns: "ceph-waw3.hswaw.net" },
353 { namespace: "ceph-waw3", dns: "object.ceph-waw3.hswaw.net" },
354 { namespace: "monitoring-global-k0", dns: "*.hswaw.net" },
355 { namespace: "registry", dns: "*.hswaw.net" },
356
357 // q3k's legacy namespace (pre-prodvider)
358 { namespace: "q3k", dns: "*.q3k.org" },
359 { namespace: "personal-q3k", dns: "*.q3k.org" },
360 ],
361 },
362 },
363 },
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]364 },
365}