Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 4d61d20aec3564207ebc23ef601e9de3187d2353 / . / cluster / kube / cluster.jsonnet
blob: d0b77bdc472b3fbb25212337456cdfbface6e16c [file] [log] [blame]
Sergiusz Bazanski4d9e72c2019-01-13 22:06:33 +0100[diff] [blame]1# Top level cluster configuration.
2
3local kube = import "../../kube/kube.libsonnet";
Sergiusz Bazanskic7258f42019-06-21 00:24:09 +0200[diff] [blame]4
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]5local calico = import "lib/calico.libsonnet";
Sergiusz Bazanskic7258f42019-06-21 00:24:09 +0200[diff] [blame]6local certmanager = import "lib/cert-manager.libsonnet";
7local cockroachdb = import "lib/cockroachdb.libsonnet";
8local coredns = import "lib/coredns.libsonnet";
Sergiusz Bazanski1e565dc2019-01-18 09:40:59 +0100[diff] [blame]9local metallb = import "lib/metallb.libsonnet";
Sergiusz Bazanskic7258f42019-06-21 00:24:09 +0200[diff] [blame]10local metrics = import "lib/metrics.libsonnet";
Sergiusz Bazanskia9c7e862019-04-01 17:56:28 +0200[diff] [blame]11local nginx = import "lib/nginx.libsonnet";
Sergiusz Bazanski4d61d202019-07-21 16:56:41 +0200[diff] [blame^]12local registry = import "lib/registry.libsonnet";
Sergiusz Bazanskib7fcc672019-04-01 18:40:50 +0200[diff] [blame]13local rook = import "lib/rook.libsonnet";
Sergiusz Bazanski4d9e72c2019-01-13 22:06:33 +0100[diff] [blame]14
15local Cluster(fqdn) = {
16 local cluster = self,
Sergiusz Bazanski4d61d202019-07-21 16:56:41 +0200[diff] [blame^]17 local cfg = cluster.cfg,
18
19 cfg:: {
20 // Storage class used for internal services (like registry). This must
21 // be set to a valid storage class. This can either be a cloud provider class
22 // (when running on GKE &co) or a storage class created using rook.
23 storageClassNameRedundant: error "storageClassNameRedundant must be set",
24 },
Sergiusz Bazanski4d9e72c2019-01-13 22:06:33 +0100[diff] [blame]25
26 // These are required to let the API Server contact kubelets.
27 crAPIServerToKubelet: kube.ClusterRole("system:kube-apiserver-to-kubelet") {
28 metadata+: {
29 annotations+: {
30 "rbac.authorization.kubernetes.io/autoupdate": "true",
31 },
32 labels+: {
33 "kubernets.io/bootstrapping": "rbac-defaults",
34 },
35 },
36 rules: [
37 {
38 apiGroups: [""],
39 resources: ["nodes/%s" % r for r in [ "proxy", "stats", "log", "spec", "metrics" ]],
40 verbs: ["*"],
41 },
42 ],
43 },
Sergiusz Bazanski5bebbeb2019-01-13 22:08:05 +0100[diff] [blame]44 crbAPIServer: kube.ClusterRoleBinding("system:kube-apiserver") {
Sergiusz Bazanski4d9e72c2019-01-13 22:06:33 +0100[diff] [blame]45 roleRef: {
46 apiGroup: "rbac.authorization.k8s.io",
47 kind: "ClusterRole",
48 name: cluster.crAPIServerToKubelet.metadata.name,
49 },
50 subjects: [
51 {
52 apiGroup: "rbac.authorization.k8s.io",
53 kind: "User",
54 # A cluster API Server authenticates with a certificate whose CN is == to the FQDN of the cluster.
55 name: fqdn,
56 },
57 ],
Sergiusz Bazanski49b9a132019-01-14 00:02:59 +0100[diff] [blame]58 },
59
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]60 // Calico network fabric
61 calico: calico.Environment {},
Sergiusz Bazanski49b9a132019-01-14 00:02:59 +0100[diff] [blame]62 // CoreDNS for this cluster.
Sergiusz Bazanskiaf3be422019-01-17 18:57:19 +0100[diff] [blame]63 dns: coredns.Environment {},
64 // Metrics Server
65 metrics: metrics.Environment {},
Sergiusz Bazanski1e565dc2019-01-18 09:40:59 +0100[diff] [blame]66 // Metal Load Balancer
Sergiusz Bazanski14cbacb2019-04-01 18:00:44 +0200[diff] [blame]67 metallb: metallb.Environment {
68 cfg+: {
69 addressPools: [
70 { name: "public-v4-1", protocol: "layer2", addresses: ["185.236.240.50-185.236.240.63"] },
71 ],
72 },
73 },
Sergiusz Bazanskia9c7e862019-04-01 17:56:28 +0200[diff] [blame]74 // Main nginx Ingress Controller
75 nginx: nginx.Environment {},
Piotr Dobrowolski79ddbc52019-04-02 13:20:15 +0200[diff] [blame]76 certmanager: certmanager.Environment {},
Piotr Dobrowolski3187c592019-04-02 14:44:04 +0200[diff] [blame]77 issuer: certmanager.ClusterIssuer("letsencrypt-prod") {
78 spec: {
79 acme: {
80 server: "https://acme-v02.api.letsencrypt.org/directory",
81 email: "bofh@hackerspace.pl",
82 privateKeySecretRef: {
83 name: "letsencrypt-prod"
84 },
85 http01: {},
86 },
87 },
88 },
Sergiusz Bazanskic6da1272019-04-02 00:06:13 +0200[diff] [blame]89
Sergiusz Bazanskib7fcc672019-04-01 18:40:50 +0200[diff] [blame]90 // Rook Ceph storage
Sergiusz Bazanskic3b0f762019-06-20 16:42:19 +0200[diff] [blame]91 rook: rook.Operator {
92 operator+: {
93 spec+: {
94 // TODO(q3k): Bring up the operator again when stability gets fixed
95 // See: https://github.com/rook/rook/issues/3059#issuecomment-492378873
96 replicas: 0,
97 },
98 },
99 },
Sergiusz Bazanski4d61d202019-07-21 16:56:41 +0200[diff] [blame^]100
101 // Docker registry
102 registry: registry.Environment {
103 cfg+: {
104 domain: "registry.%s" % [fqdn],
105 storageClassName: cfg.storageClassNameRedundant,
106 },
107 },
Sergiusz Bazanski4d9e72c2019-01-13 22:06:33 +0100[diff] [blame]108};
109
Sergiusz Bazanski49b9a132019-01-14 00:02:59 +0100[diff] [blame]110
Sergiusz Bazanski4d9e72c2019-01-13 22:06:33 +0100[diff] [blame]111{
Sergiusz Bazanskic7258f42019-06-21 00:24:09 +0200[diff] [blame]112 k0: {
113 local k0 = self,
Sergiusz Bazanski4d61d202019-07-21 16:56:41 +0200[diff] [blame^]114 cluster: Cluster("k0.hswaw.net") {
115 cfg+: {
116 storageClassNameRedundant: k0.ceph.blockRedundant.name,
117 },
118 },
Sergiusz Bazanskic7258f42019-06-21 00:24:09 +0200[diff] [blame]119 cockroach: {
120 waw1: cockroachdb.Cluster("crdb-waw1") {
121 cfg+: {
122 topology: [
Sergiusz Bazanski184678b2019-06-22 02:07:41 +0200[diff] [blame]123 { name: "bc01n01", node: "bc01n01.hswaw.net" },
124 { name: "bc01n02", node: "bc01n02.hswaw.net" },
125 { name: "bc01n03", node: "bc01n03.hswaw.net" },
Sergiusz Bazanskic7258f42019-06-21 00:24:09 +0200[diff] [blame]126 ],
127 hostPath: "/var/db/crdb-waw1",
128 },
129 },
130 },
131 ceph: {
132 // waw1 cluster
133 waw1: rook.Cluster(k0.cluster.rook, "ceph-waw1") {
134 spec: {
135 mon: {
136 count: 3,
137 allowMultiplePerNode: false,
138 },
139 storage: {
140 useAllNodes: false,
141 useAllDevices: false,
142 config: {
143 databaseSizeMB: "1024",
144 journalSizeMB: "1024",
145 },
146 nodes: [
147 {
148 name: "bc01n01.hswaw.net",
149 location: "rack=dcr01 chassis=bc01 host=bc01n01",
150 devices: [ { name: "sda" } ],
151 },
152 {
153 name: "bc01n02.hswaw.net",
154 location: "rack=dcr01 chassis=bc01 host=bc01n02",
155 devices: [ { name: "sda" } ],
156 },
157 {
158 name: "bc01n03.hswaw.net",
159 location: "rack=dcr01 chassis=bc01 host=bc01n03",
160 devices: [ { name: "sda" } ],
161 },
162 ],
163 },
164 },
165 },
166 // redundant block storage
167 blockRedundant: rook.ECBlockPool(k0.ceph.waw1, "waw-hdd-redundant-1") {
168 spec: {
169 failureDomain: "host",
170 erasureCoded: {
171 dataChunks: 2,
172 codingChunks: 1,
173 },
174 },
175 },
176 // yolo block storage (no replicas!)
177 blockYolo: rook.ReplicatedBlockPool(k0.ceph.waw1, "waw-hdd-yolo-1") {
178 spec: {
179 failureDomain: "host",
180 replicated: {
181 size: 1,
182 },
183 },
184 },
185 objectRedundant: rook.S3ObjectStore(k0.ceph.waw1, "waw-hdd-redundant-1-object") {
186 spec: {
187 metadataPool: {
188 failureDomain: "host",
189 replicated: { size: 3 },
190 },
191 dataPool: {
192 failureDomain: "host",
193 erasureCoded: {
194 dataChunks: 2,
195 codingChunks: 1,
196 },
197 },
198 },
199 },
200 },
201 },
Sergiusz Bazanski4d9e72c2019-01-13 22:06:33 +0100[diff] [blame]202}