Blame - cluster/kube/k0.libsonnet - hscloud

2020-06-06 01:21:45 +0200

[diff] [blame]

1

// k0.hswaw.net kubernetes cluster

2

// This defines the cluster as a single object.

3

// Use the sibling k0*.jsonnet 'view' files to actually apply the configuration.

4

5

local kube = import "../../kube/kube.libsonnet";

6

local policies = import "../../kube/policies.libsonnet";

7

8

local cluster = import "cluster.libsonnet";

9

Serge Bazanski

2021-02-06 17:27:02 +0000

[diff] [blame]

10

local admitomatic = import "lib/admitomatic.libsonnet";

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

11

local cockroachdb = import "lib/cockroachdb.libsonnet";

12

local registry = import "lib/registry.libsonnet";

13

local rook = import "lib/rook.libsonnet";

radex

2023-10-10 00:02:29 +0200

[diff] [blame]

14

local admins = import "lib/admins.libsonnet";

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

{

k0: {

local k0 = self,

cluster: cluster.Cluster("k0", "hswaw.net") {

20

cfg+: {

Serge Bazanski

3d29484

2020-08-04 01:34:07 +0200

[diff] [blame]

21

storageClassNameParanoid: k0.ceph.waw3Pools.blockRedundant.name,

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

22

},

23

metallb+: {

24

cfg+: {

Serge Bazanski

a5ed644

2020-09-20 22:52:57 +0000

[diff] [blame]

25

// Peer with calico running on same node.

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

26

peers: [

27

{

Serge Bazanski

a5ed644

2020-09-20 22:52:57 +0000

[diff] [blame]

28

"peer-address": "127.0.0.1",

29

"peer-asn": 65003,

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

30

"my-asn": 65002,

31

},

32

],

Serge Bazanski

a5ed644

2020-09-20 22:52:57 +0000

[diff] [blame]

33

// Public IP address pools. Keep in sync with k0.calico.yaml.

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

addressPools: [

{

protocol: "bgp",

addresses: [

"185.236.240.48/28",

],

},

{

protocol: "bgp",

addresses: [

"185.236.240.112/28"

],

},

],

},

},

},

// Docker registry

registry: registry.Environment {

56

cfg+: {

57

domain: "registry.%s" % [k0.cluster.fqdn],

58

storageClassName: k0.cluster.cfg.storageClassNameParanoid,

Serge Bazanski

3d29484

2020-08-04 01:34:07 +0200

[diff] [blame]

59

objectStorageName: "waw-hdd-redundant-3-object",

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

},

},

// CockroachDB, running on bc01n{01,02,03}.

64

cockroach: {

65

waw2: cockroachdb.Cluster("crdb-waw1") {

66

cfg+: {

67

topology: [

Patryk Jakuszew

edf14cc

2021-01-23 23:00:29 +0100

[diff] [blame]

68

{ name: "dcr01s22", node: "dcr01s22.hswaw.net" },

Serge Bazanski

bdd403c

2021-10-28 23:37:38 +0000

[diff] [blame]

69

{ name: "dcr01s24", node: "dcr01s24.hswaw.net" },

Serge Bazanski

6534969

2023-10-09 20:26:30 +0000

[diff] [blame]

70

{ name: "dcr03s16", node: "dcr03s16.hswaw.net" },

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

71

],

72

// Host path on SSD.

73

hostPath: "/var/db/crdb-waw1",

Serge Bazanski

509ab6e

2020-07-30 22:43:20 +0200

[diff] [blame]

74

extraDNS: [

75

"crdb-waw1.hswaw.net",

76

],

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

77

},

Serge Bazanski

bdd403c

2021-10-28 23:37:38 +0000

[diff] [blame]

78

initJob:: null,

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

79

},

80

clients: {

81

cccampix: k0.cockroach.waw2.Client("cccampix"),

82

cccampixDev: k0.cockroach.waw2.Client("cccampix-dev"),

83

buglessDev: k0.cockroach.waw2.Client("bugless-dev"),

84

sso: k0.cockroach.waw2.Client("sso"),

Serge Bazanski

509ab6e

2020-07-30 22:43:20 +0200

[diff] [blame]

85

herpDev: k0.cockroach.waw2.Client("herp-dev"),

Patryk Jakuszew

f315388

2021-01-23 15:38:50 +0100

[diff] [blame]

86

gitea: k0.cockroach.waw2.Client("gitea"),

Piotr Dobrowolski

f4a6a56

2021-02-01 21:32:25 +0100

[diff] [blame]

87

issues: k0.cockroach.waw2.Client("issues"),

Serge Bazanski

bf266c6

2021-03-17 21:48:58 +0000

[diff] [blame]

88

dns: k0.cockroach.waw2.Client("dns"),

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

},

},

ceph: {

// waw1 cluster - dead as of 2019/08/06, data corruption

Serge Bazanski

61f978a

2021-01-22 16:26:07 +0100

[diff] [blame]

94

// waw2 cluster - dead as of 2021/01/22, torn down (horrible M610 RAID controllers are horrible)

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

95

Serge Bazanski

2021-09-11 20:24:27 +0000

[diff] [blame]

96

// waw3: 6TB SAS 3.5" HDDs, internal Rook cluster.

97

//

98

// Suffers from rook going apeshit and nuking all mons if enough of

99

// a control plane is up for rook to run but if nodes are

100

// unavailable to the point of it deciding that no mon exists and

101

// it should create some new ones, fully nuking the monmap and

102

// making recovery a pain.

103

//

104

// Supposedly new versions of Rook slowly fix these issues, but q3k

105

// doesn't personally trust this codebase anymore. He'd rather

106

// manage the actual Ceph cluster myself, we don't need all of this

107

// magic.

108

//

109

// See: b.hswaw.net/6

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

110

waw3: rook.Cluster(k0.cluster.rook, "ceph-waw3") {

111

spec: {

112

mon: {

Serge Bazanski

1684211

2022-11-17 19:30:05 +0000

[diff] [blame]

113

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

114

allowMultiplePerNode: false,

115

},

Serge Bazanski

793ca1b

2021-03-07 00:07:19 +0000

[diff] [blame]

116

resources: {

117

osd: {

118

requests: {

Serge Bazanski

64de7af

2021-03-17 21:47:29 +0000

[diff] [blame]

119

cpu: "2",

120

memory: "6G",

Serge Bazanski

793ca1b

2021-03-07 00:07:19 +0000

[diff] [blame]

121

},

122

limits: {

Serge Bazanski

64de7af

2021-03-17 21:47:29 +0000

[diff] [blame]

123

cpu: "2",

124

memory: "8G",

Serge Bazanski

793ca1b

2021-03-07 00:07:19 +0000

[diff] [blame]

},

},

},

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

129

storage: {

130

useAllNodes: false,

131

useAllDevices: false,

132

config: {

133

databaseSizeMB: "1024",

134

journalSizeMB: "1024",

135

},

Serge Bazanski

2021-09-11 20:24:27 +0000

[diff] [blame]

136

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

nodes: [

{

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

140

devices: [

Serge Bazanski

2021-09-11 20:24:27 +0000

[diff] [blame]

141

{ name: "/dev/disk/by-id/wwn-0x" + id }

142

for id in [

Serge Bazanski

712a5dc

2023-02-28 01:15:40 +0000

[diff] [blame]

143

"5000c5008508c433", # ST6000NM0034 Z4D40QZR0000R629ME1B

144

"5000c500850989cf", # ST6000NM0034 Z4D40JRL0000R63008A2

145

"5000c5008508baf7", # ST6000NM0034 Z4D40M380000R630V00M

146

"5000c5008508f843", # ST6000NM0034 Z4D40LGP0000R630UVTD

147

"5000c500850312cb", # ST6000NM0034 Z4D3ZAAX0000R629NW31

148

"5000c500850293e3", # ST6000NM0034 Z4D3Z5TD0000R629MF7P

149

"5000c5008508e3ef", # ST6000NM0034 Z4D40LM50000R630V0W3

150

"5000c5008508e23f", # ST6000NM0034 Z4D40QMX0000R629MD3C

Serge Bazanski

2021-09-11 20:24:27 +0000

[diff] [blame]

151

]

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

],

},

{

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

156

devices: [

Serge Bazanski

2021-09-11 20:24:27 +0000

[diff] [blame]

157

{ name: "/dev/disk/by-id/wwn-0x" + id }

158

for id in [

Serge Bazanski

7572f07

2023-03-10 20:54:35 +0100

[diff] [blame]

159

"5000c5008508c9ef", # ST6000NM0034 Z4D40LY40000R630UZCE

160

"5000c5008508df33", # ST6000NM0034 Z4D40QQ00000R629MB25

161

"5000c5008508dd3b", # ST6000NM0034 Z4D40QQJ0000R630RBY6

162

"5000c5008509199b", # ST6000NM0034 Z4D40QG10000R630V0X9

163

"5000c5008508ee03", # ST6000NM0034 Z4D40LHH0000R630UYP0

164

"5000c50085046abf", # ST6000NM0034 Z4D3ZF1B0000R629NV9P

165

"5000c5008502929b", # ST6000NM0034 Z4D3Z5WG0000R629MF14

Serge Bazanski

2021-09-11 20:24:27 +0000

[diff] [blame]

166

]

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

167

],

168

},

Serge Bazanski

18c27ae

2023-10-13 13:44:18 +0200

[diff] [blame]

{

devices: [

{ name: "/dev/disk/by-id/wwn-0x" + id }

173

for id in [

174

"5000c5008508fb73", # ST6000NM0034 Z4D40LEF0000R630UX98

175

"5000c5008508c3a7", # ST6000NM0034 Z4D40LZV0000R630UY91

176

"5000c5008508d7bf", # ST6000NM0034 Z4D40LPT0000R629NXBF

177

"5000c5008502952f", # ST6000NM0034 Z4D3Z5RA0000R628P45F

178

"5000c5008502aa4b", # ST6000NM0034 Z4D3Z5A00000R630RU2T

179

"5000c5008508d677", # ST6000NM0034 Z4D40LQH0000R630QRAS

180

]

181

],

182

},

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

],

},

benji:: {

metadataStorageClass: "waw-hdd-redundant-3",

187

encryptionPassword: std.split((importstr "../secrets/plain/k0-benji-encryption-password"), '\n')[0],

188

pools: [

189

"waw-hdd-redundant-3",

190

"waw-hdd-redundant-3-metadata",

"waw-hdd-yolo-3",

],

s3Configuration: {

awsAccessKeyId: "RPYZIROFXNLQVU2WJ4R3",

195

awsSecretAccessKey: std.split((importstr "../secrets/plain/k0-benji-secret-access-key"), '\n')[0],

196

bucketName: "benji-k0-backups-waw3",

197

endpointUrl: "https://s3.eu-central-1.wasabisys.com/",

},

}

},

},

waw3Pools: {

// redundant block storage

204

blockRedundant: rook.ECBlockPool(k0.ceph.waw3, "waw-hdd-redundant-3") {

205

metadataReplicas: 2,

206

spec: {

207

failureDomain: "host",

replicated: {

size: 2,

},

},

},

Serge Bazanski

242ec58

2020-09-20 15:36:11 +0000

[diff] [blame]

213

// q3k's personal pool, used externally from k8s.

214

q3kRedundant: rook.ECBlockPool(k0.ceph.waw3, "waw-hdd-redundant-q3k-3") {

215

metadataReplicas: 2,

216

spec: {

217

failureDomain: "host",

replicated: {

size: 2,

},

},

},

Serge Bazanski

38f72fe

2021-09-13 23:43:47 +0000

[diff] [blame]

object: {

local poolSpec = {

failureDomain: "host",

227

replicated: { size: 2 },

228

},

229

230

realm: rook.S3ObjectRealm(k0.ceph.waw3, "hscloud"),

231

zonegroup: rook.S3ObjectZoneGroup(self.realm, "eu"),

232

// This is serving at object.ceph-waw3.hswaw.net, but

233

// internally to Ceph it is known as

234

// waw-hdd-redundant-3-object (name of radosgw zone).

235

store: rook.S3ObjectStore(self.zonegroup, "waw-hdd-redundant-3-object") {

236

cfg+: {

237

// Override so that this radosgw serves on

238

// object.ceph-{waw3,eu}.hswaw.net instead of

239

// ceph-{waw-hdd-redundant-3-object,eu}.

240

domainParts: [

241

"waw3", "eu",

242

],

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

243

},

Serge Bazanski

38f72fe

2021-09-13 23:43:47 +0000

[diff] [blame]

244

spec: {

245

metadataPool: poolSpec,

246

dataPool: poolSpec,

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

},

},

},

},

// Clients for S3/radosgw storage.

253

clients: {

Piotr Dobrowolski

2023-10-07 20:14:51 +0200

[diff] [blame]

254

local ObjectStoreUser(name) = kube.CephObjectStoreUser(name) {

255

metadata+: {

256

namespace: "ceph-waw3",

257

},

258

spec: {

259

store: "waw-hdd-redundant-3-object",

displayName: name,

},

},

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

264

# Used for owncloud.hackerspace.pl, which for now lives on boston-packets.hackerspace.pl.

Piotr Dobrowolski

2023-10-07 20:14:51 +0200

[diff] [blame]

265

nextcloudWaw3: ObjectStoreUser("nextcloud"),

Piotr Dobrowolski

3b8a43f

2021-02-01 21:19:48 +0100

[diff] [blame]

266

# issues.hackerspace.pl (redmine) attachments bucket

Piotr Dobrowolski

2023-10-07 20:14:51 +0200

[diff] [blame]

267

issuesWaw3: ObjectStoreUser("issues"),

Piotr Dobrowolski

e839f95

2021-09-14 22:21:22 +0200

[diff] [blame]

268

# matrix.hackerspace.pl media storage bucket

Piotr Dobrowolski

2023-10-07 20:14:51 +0200

[diff] [blame]

269

matrixWaw3: ObjectStoreUser("matrix"),

Bartosz Stebel

54a34b2

2022-03-05 23:20:56 +0100

[diff] [blame]

270

# tape staging temporary storage

Piotr Dobrowolski

2023-10-07 20:14:51 +0200

[diff] [blame]

271

tapeStaging: ObjectStoreUser("tape-staging"),

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

272

273

# nuke@hackerspace.pl's personal storage.

Piotr Dobrowolski

2023-10-07 20:14:51 +0200

[diff] [blame]

274

nukePersonalWaw3: ObjectStoreUser("nuke-personal"),

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

275

276

# patryk@hackerspace.pl's ArmA3 mod bucket.

Piotr Dobrowolski

2023-10-07 20:14:51 +0200

[diff] [blame]

277

cz2ArmaModsWaw3: ObjectStoreUser("cz2-arma3mods"),

278

Bartosz Stebel

0156ab2

2023-02-20 21:33:33 +0100

[diff] [blame]

279

# implr's personal user

Piotr Dobrowolski

2023-10-07 20:14:51 +0200

[diff] [blame]

280

implrSparkWaw3: ObjectStoreUser("implr"),

281

Sergiusz Bazanski

b1aadd8

2020-06-24 19:06:17 +0200

[diff] [blame]

282

# q3k's personal user

Piotr Dobrowolski

2023-10-07 20:14:51 +0200

[diff] [blame]

283

q3kWaw3: ObjectStoreUser("q3k"),

284

Serge Bazanski

bfe9bb0

2020-10-27 20:50:50 +0100

[diff] [blame]

285

# woju's personal user

Piotr Dobrowolski

2023-10-07 20:14:51 +0200

[diff] [blame]

286

wojuWaw3: ObjectStoreUser("woju"),

287

Patryk Jakuszew

34668a5

2020-11-28 13:45:25 +0100

[diff] [blame]

288

# cz3's (patryk@hackerspace.pl) personal user

Piotr Dobrowolski

2023-10-07 20:14:51 +0200

[diff] [blame]

289

cz3Waw3: ObjectStoreUser("cz3"),

290

Piotr Dobrowolski

e839f95

2021-09-14 22:21:22 +0200

[diff] [blame]

291

# informatic's personal user

Piotr Dobrowolski

2023-10-07 20:14:51 +0200

[diff] [blame]

292

informaticWaw3: ObjectStoreUser("informatic"),

293

Serge Bazanski

1684211

2022-11-17 19:30:05 +0000

[diff] [blame]

294

# mastodon qa and prod

295

mastodonWaw3: {

Piotr Dobrowolski

2023-10-07 20:14:51 +0200

[diff] [blame]

296

qa: ObjectStoreUser("mastodon-qa"),

297

prod: ObjectStoreUser("mastodon-prod"),

Serge Bazanski

1684211

2022-11-17 19:30:05 +0000

[diff] [blame]

298

},

Piotr Dobrowolski

2023-10-07 20:14:51 +0200

[diff] [blame]

299

300

codehostingWaw3: ObjectStoreUser("codehosting"),

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

},

},

# These are policies allowing for Insecure pods in some namespaces.

306

# A lot of them are spurious and come from the fact that we deployed

307

# these namespaces before we deployed the draconian PodSecurityPolicy

308

# we have now. This should be fixed by setting up some more granular

309

# policies, or fixing the workloads to not need some of the permission

310

# bits they use, whatever those might be.

311

# TODO(q3k): fix this?

312

unnecessarilyInsecureNamespaces: [

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

313

policies.AllowNamespaceInsecure("ceph-waw3"),

314

policies.AllowNamespaceInsecure("matrix"),

315

policies.AllowNamespaceInsecure("registry"),

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

316

# TODO(implr): restricted policy with CAP_NET_ADMIN and tuntap, but no full root

317

policies.AllowNamespaceInsecure("implr-vpn"),

Radek Pietruszewski

934f7d3

2023-11-03 19:02:51 +0100

[diff] [blame]

318

// For SourceGraph's tini container mess.

319

policies.AllowNamespaceMostlySecure("sourcegraph"),

radex

7a4c27d

2023-11-24 13:20:10 +0100

[diff] [blame]

320

// Needed because the documentserver runs its own supervisor, and:

321

// - rabbitmq wants to mkdir in /run, which starts out with the wrong permissions

322

// - nginx wants to bind to port 80

323

policies.AllowNamespaceInsecure("onlyoffice-prod"),

Sergiusz Bazanski

2020-06-06 01:21:45 +0200

[diff] [blame]

324

],

Serge Bazanski

2021-02-06 17:27:02 +0000

[diff] [blame]

325

326

# Admission controller that permits non-privileged users to manage

327

# their namespaces without danger of hijacking important URLs.

328

admitomatic: admitomatic.Environment {

329

cfg+: {

330

proto: {

331

// Domains allowed in given namespaces. If a domain exists

332

// anywhere, ingresses will only be permitted to be created

333

// within namespaces in which it appears here. This works

334

// the same way for wildcards, if a wildcard exists in this

335

// list it blocks all unauthorized uses of that domain

336

// elsewhere.

337

//

338

// See //cluster/admitomatic for more information.

//

// Or, tl;dr:

//

// If you do a wildcard CNAME onto the k0 ingress, you

343

// should explicitly state *.your.name.com here.

344

//

345

// If you just want to protect your host from being

346

// hijacked by other cluster users, you should also state

347

// it here (either as a wildcard, or unary domains).

348

allow_domain: [

radex

2023-11-24 10:25:52 +0100

[diff] [blame]

349

// app

radex

c2c66bf

2023-08-17 14:28:32 +0200

[diff] [blame]

350

{ namespace: "inventory", dns: "inventory.hackerspace.pl" },

radex

2023-11-24 10:25:52 +0100

[diff] [blame]

351

{ namespace: "mastodon-hackerspace-qa", dns: "social-qa-2.hackerspace.pl" },

352

{ namespace: "mastodon-hackerspace-prod", dns: "social.hackerspace.pl" },

Serge Bazanski

2021-02-06 17:27:02 +0000

[diff] [blame]

353

{ namespace: "matrix", dns: "matrix.hackerspace.pl" },

354

{ namespace: "onlyoffice-prod", dns: "office.hackerspace.pl" },

radex

2023-11-24 10:25:52 +0100

[diff] [blame]

355

{ namespace: "walne", dns: "walne.hackerspace.pl" },

356

357

// bgpwtf

358

{ namespace: "internet", dns: "internet.hackerspace.pl" },

359

{ namespace: "speedtest", dns: "speedtest.hackerspace.pl" },

360

361

// devtools

radex

2023-11-24 10:41:38 +0100

[diff] [blame]

362

{ namespace: "devtools-prod", dns: "hackdoc.hackerspace.pl" }, // TODO: remove this

363

{ namespace: "devtools-prod", dns: "cs.hackerspace.pl" }, // TODO: remove this

radex

2023-11-24 10:25:52 +0100

[diff] [blame]

364

{ namespace: "gitea-prod", dns: "gitea.hackerspace.pl" },

365

{ namespace: "codehosting-prod", dns: "git.hackerspace.pl" },

366

{ namespace: "codehosting-prod", dns: "code.hackerspace.pl" },

367

{ namespace: "gerrit", dns: "gerrit.hackerspace.pl" },

368

{ namespace: "gerrit-qa", dns: "gerrit-qa.hackerspace.pl" },

radex

2023-11-24 10:41:38 +0100

[diff] [blame]

369

{ namespace: "hackdoc", dns: "hackdoc.hackerspace.pl" },

Serge Bazanski

2021-02-06 17:27:02 +0000

[diff] [blame]

370

{ namespace: "redmine", dns: "issues.hackerspace.pl" },

Serge Bazanski

877cf0a

2021-02-08 00:34:34 +0100

[diff] [blame]

371

{ namespace: "redmine", dns: "b.hackerspace.pl" },

372

{ namespace: "redmine", dns: "b.hswaw.net" },

373

{ namespace: "redmine", dns: "xn--137h.hackerspace.pl" },

374

{ namespace: "redmine", dns: "xn--137h.hswaw.net" },

radex

2023-11-24 10:25:52 +0100

[diff] [blame]

375

{ namespace: "sourcegraph", dns: "cs.hackerspace.pl" },

376

377

// hswaw

378

{ namespace: "hswaw-prod", dns: "*.hackerspace.pl" },

379

{ namespace: "hswaw-prod", dns: "*.hswaw.net" },

radex

2023-11-24 10:41:38 +0100

[diff] [blame]

380

{ namespace: "hswaw-prod", dns: "*.cebula.camp" }, // TODO: remove this

radex

2023-11-24 10:25:52 +0100

[diff] [blame]

381

{ namespace: "capacifier", dns: "capacifier.hackerspace.pl" },

radex

2023-11-24 10:41:38 +0100

[diff] [blame]

382

{ namespace: "cebulacamp", dns: "cebula.camp" },

radex

2023-11-24 10:25:52 +0100

[diff] [blame]

383

{ namespace: "engelsystem-prod", dns: "engelsystem.hackerspace.pl" },

radex

2023-11-24 10:41:38 +0100

[diff] [blame]

384

{ namespace: "invoicer", dns: "invoicer.hackerspace.pl" },

radex

2023-11-24 10:25:52 +0100

[diff] [blame]

385

{ namespace: "ldapweb", dns: "profile.hackerspace.pl" },

386

{ namespace: "paperless", dns: "paperless.hackerspace.pl" },

radex

2023-11-24 10:41:38 +0100

[diff] [blame]

387

{ namespace: "pretalx", dns: "cfp.cebula.camp" },

radex

2023-11-24 10:25:52 +0100

[diff] [blame]

388

{ namespace: "site", dns: "new.hackerspace.pl" },

radex

2023-11-24 10:41:38 +0100

[diff] [blame]

389

{ namespace: "teleimg", dns: "teleimg.hswaw.net" },

radex

2023-11-24 10:25:52 +0100

[diff] [blame]

390

391

// ops

Serge Bazanski

2021-02-06 17:27:02 +0000

[diff] [blame]

392

{ namespace: "sso", dns: "sso.hackerspace.pl" },

393

radex

e36beba

2023-10-11 00:41:48 +0200

[diff] [blame]

394

// auto-namespaced domains, i.e:

395

// USER.hscloud.ovh is allowed for personal-USER namespace

396

// *.USER.hscloud.ovh is allowed for personal-USER namespace

397

{ namespace: "personal-$2", dns: "(.*\\.)?([^.]+)\\.hscloud\\.ovh", regexp: true },

398

399

// cluster infra

Serge Bazanski

2021-02-06 17:27:02 +0000

[diff] [blame]

400

{ namespace: "ceph-waw3", dns: "ceph-waw3.hswaw.net" },

401

{ namespace: "ceph-waw3", dns: "object.ceph-waw3.hswaw.net" },

Serge Bazanski

38f72fe

2021-09-13 23:43:47 +0000

[diff] [blame]

402

{ namespace: "ceph-waw3", dns: "object.ceph-eu.hswaw.net" },

Serge Bazanski

2021-02-06 17:27:02 +0000

[diff] [blame]

403

{ namespace: "monitoring-global-k0", dns: "*.hswaw.net" },

404

{ namespace: "registry", dns: "*.hswaw.net" },

405

radex

e36beba

2023-10-11 00:41:48 +0200

[diff] [blame]

406

// personal namespaces

Serge Bazanski

2021-02-06 17:27:02 +0000

[diff] [blame]

407

{ namespace: "q3k", dns: "*.q3k.org" },

408

{ namespace: "personal-q3k", dns: "*.q3k.org" },

radex

e36beba

2023-10-11 00:41:48 +0200

[diff] [blame]

409

{ namespace: "personal-radex", dns: "hs.radex.io" },

410

{ namespace: "personal-radex", dns: "*.hs.radex.io" },

Serge Bazanski

2021-02-06 17:27:02 +0000

[diff] [blame]

411

],

Serge Bazanski

c1f3725

2023-06-19 21:56:29 +0000

[diff] [blame]

412

413

anything_goes_namespace: [

414

// sourcegraph ingress wants a config snippet to set a header.

415

"devtools-prod",

Radek Pietruszewski

934f7d3

2023-11-03 19:02:51 +0100

[diff] [blame]

416

"sourcegraph",

Serge Bazanski

c1f3725

2023-06-19 21:56:29 +0000

[diff] [blame]

417

],

Serge Bazanski

2021-02-06 17:27:02 +0000

[diff] [blame]

418

},

419

},

420

},

radex

2023-10-10 00:02:29 +0200

[diff] [blame]

421

422

// Configuration of RoleBindings

423

admins: admins.NamespaceAdmins {

424

// Cluster staff have full access to all namespaces

425

// To give non-staff users admin access scoped to a given namespace,

426

// add them to the list below.

427

// (system:admin-namespace role is given to <user>@hackerspace.pl)

428

namespaces:: {

radex

2023-11-24 10:25:52 +0100

[diff] [blame]

429

// app

radex

2023-10-10 00:02:29 +0200

[diff] [blame]

"inventory": [

"radex",

"palid",

],

radex

2023-10-10 00:02:29 +0200

[diff] [blame]

434

"matrix-0x3c": [

435

"not7cd",

436

],

radex

2023-11-24 10:25:52 +0100

[diff] [blame]

"walne": [

"radex",

"palid",

],

// bgpwtf

"internet": [

radex

2023-10-10 00:02:29 +0200

[diff] [blame]

444

"radex",

445

],

radex

2023-11-24 10:25:52 +0100

[diff] [blame]

446

"speedtest": [

radex

2023-10-10 00:02:29 +0200

[diff] [blame]

447

"radex",

448

],

radex

2023-11-24 10:25:52 +0100

[diff] [blame]

449

450

// devtools

Radek Pietruszewski

2023-10-30 20:27:25 +0100

[diff] [blame]

"devtools-prod": [

"radex",

],

"depotview": [

"radex",

],

"hackdoc": [

"radex",

],

"sourcegraph": [

"radex",

],

radex

2023-11-24 10:25:52 +0100

[diff] [blame]

// games

"valheim": [

"patryk",

"palid",

Radek Pietruszewski

2023-10-30 20:27:25 +0100

[diff] [blame]

468

],

radex

2023-11-24 10:25:52 +0100

[diff] [blame]

// hswaw

"hswaw-prod": [

"ar",

Radek Pietruszewski

2023-10-30 20:27:25 +0100

[diff] [blame]

"radex",

],

"cebulacamp": [

"radex",

],

radex

2023-11-24 10:41:38 +0100

[diff] [blame]

"invoicer": [

"arsenicum",

"radex",

],

radex

2023-11-24 10:25:52 +0100

[diff] [blame]

482

"ldapweb": [

Radek Pietruszewski

2023-10-30 20:27:25 +0100

[diff] [blame]

483

"radex",

484

],

radex

2023-11-24 10:41:38 +0100

[diff] [blame]

485

"paperless": [

486

"radex",

487

],

Radek Pietruszewski

2023-10-30 20:27:25 +0100

[diff] [blame]

488

"pretalx": [

489

"radex",

490

],

radex

2023-11-24 10:25:52 +0100

[diff] [blame]

"site": [

"ar",

"radex",

],

"teleimg": [

"radex",

],

radex

2023-10-10 00:02:29 +0200

[diff] [blame]

498

}

499

}

Sergiusz Bazanski