Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 63328a353a1e26b265b3fc20c563ed745b31abca / . / cluster / kube / k0.libsonnet
blob: 46eb7d311674bafd5c3c62a979c3b3e143490037 [file] [log] [blame]
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]1// k0.hswaw.net kubernetes cluster
2// This defines the cluster as a single object.
3// Use the sibling k0*.jsonnet 'view' files to actually apply the configuration.
4
5local kube = import "../../kube/kube.libsonnet";
6local policies = import "../../kube/policies.libsonnet";
7
8local cluster = import "cluster.libsonnet";
9
Serge Bazanski3c5d8362021-02-06 17:27:02 +0000[diff] [blame]10local admitomatic = import "lib/admitomatic.libsonnet";
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]11local cockroachdb = import "lib/cockroachdb.libsonnet";
12local registry = import "lib/registry.libsonnet";
13local rook = import "lib/rook.libsonnet";
radex0776a792023-10-10 00:02:29 +0200[diff] [blame]14local admins = import "lib/admins.libsonnet";
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]15
16{
17 k0: {
18 local k0 = self,
19 cluster: cluster.Cluster("k0", "hswaw.net") {
20 cfg+: {
Serge Bazanski3d294842020-08-04 01:34:07 +0200[diff] [blame]21 storageClassNameParanoid: k0.ceph.waw3Pools.blockRedundant.name,
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]22 },
23 metallb+: {
24 cfg+: {
Serge Bazanskia5ed6442020-09-20 22:52:57 +0000[diff] [blame]25 // Peer with calico running on same node.
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]26 peers: [
27 {
Serge Bazanskia5ed6442020-09-20 22:52:57 +0000[diff] [blame]28 "peer-address": "127.0.0.1",
29 "peer-asn": 65003,
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]30 "my-asn": 65002,
31 },
32 ],
Serge Bazanskia5ed6442020-09-20 22:52:57 +0000[diff] [blame]33 // Public IP address pools. Keep in sync with k0.calico.yaml.
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]34 addressPools: [
35 {
36 name: "public-v4-1",
37 protocol: "bgp",
38 addresses: [
39 "185.236.240.48/28",
40 ],
41 },
42 {
43 name: "public-v4-2",
44 protocol: "bgp",
45 addresses: [
46 "185.236.240.112/28"
47 ],
48 },
49 ],
50 },
51 },
52 },
53
54 // Docker registry
55 registry: registry.Environment {
56 cfg+: {
57 domain: "registry.%s" % [k0.cluster.fqdn],
58 storageClassName: k0.cluster.cfg.storageClassNameParanoid,
Serge Bazanski3d294842020-08-04 01:34:07 +0200[diff] [blame]59 objectStorageName: "waw-hdd-redundant-3-object",
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]60 },
61 },
62
63 // CockroachDB, running on bc01n{01,02,03}.
64 cockroach: {
65 waw2: cockroachdb.Cluster("crdb-waw1") {
66 cfg+: {
67 topology: [
Patryk Jakuszewedf14cc2021-01-23 23:00:29 +0100[diff] [blame]68 { name: "dcr01s22", node: "dcr01s22.hswaw.net" },
Serge Bazanskibdd403c2021-10-28 23:37:38 +0000[diff] [blame]69 { name: "dcr01s24", node: "dcr01s24.hswaw.net" },
Serge Bazanski65349692023-10-09 20:26:30 +0000[diff] [blame]70 { name: "dcr03s16", node: "dcr03s16.hswaw.net" },
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]71 ],
72 // Host path on SSD.
73 hostPath: "/var/db/crdb-waw1",
Serge Bazanski509ab6e2020-07-30 22:43:20 +0200[diff] [blame]74 extraDNS: [
75 "crdb-waw1.hswaw.net",
76 ],
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]77 },
Serge Bazanskibdd403c2021-10-28 23:37:38 +0000[diff] [blame]78 initJob:: null,
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]79 },
80 clients: {
81 cccampix: k0.cockroach.waw2.Client("cccampix"),
82 cccampixDev: k0.cockroach.waw2.Client("cccampix-dev"),
83 buglessDev: k0.cockroach.waw2.Client("bugless-dev"),
84 sso: k0.cockroach.waw2.Client("sso"),
Serge Bazanski509ab6e2020-07-30 22:43:20 +0200[diff] [blame]85 herpDev: k0.cockroach.waw2.Client("herp-dev"),
Patryk Jakuszewf3153882021-01-23 15:38:50 +0100[diff] [blame]86 gitea: k0.cockroach.waw2.Client("gitea"),
Piotr Dobrowolskif4a6a562021-02-01 21:32:25 +0100[diff] [blame]87 issues: k0.cockroach.waw2.Client("issues"),
Serge Bazanskibf266c62021-03-17 21:48:58 +0000[diff] [blame]88 dns: k0.cockroach.waw2.Client("dns"),
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]89 },
90 },
91
92 ceph: {
93 // waw1 cluster - dead as of 2019/08/06, data corruption
Serge Bazanski61f978a2021-01-22 16:26:07 +0100[diff] [blame]94 // waw2 cluster - dead as of 2021/01/22, torn down (horrible M610 RAID controllers are horrible)
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]95
Serge Bazanski464fb042021-09-11 20:24:27 +0000[diff] [blame]96 // waw3: 6TB SAS 3.5" HDDs, internal Rook cluster.
97 //
98 // Suffers from rook going apeshit and nuking all mons if enough of
99 // a control plane is up for rook to run but if nodes are
100 // unavailable to the point of it deciding that no mon exists and
101 // it should create some new ones, fully nuking the monmap and
102 // making recovery a pain.
103 //
104 // Supposedly new versions of Rook slowly fix these issues, but q3k
105 // doesn't personally trust this codebase anymore. He'd rather
106 // manage the actual Ceph cluster myself, we don't need all of this
107 // magic.
108 //
109 // See: b.hswaw.net/6
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]110 waw3: rook.Cluster(k0.cluster.rook, "ceph-waw3") {
111 spec: {
112 mon: {
Serge Bazanski16842112022-11-17 19:30:05 +0000[diff] [blame]113 count: 3,
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]114 allowMultiplePerNode: false,
115 },
Serge Bazanski793ca1b2021-03-07 00:07:19 +0000[diff] [blame]116 resources: {
117 osd: {
118 requests: {
Serge Bazanski64de7af2021-03-17 21:47:29 +0000[diff] [blame]119 cpu: "2",
120 memory: "6G",
Serge Bazanski793ca1b2021-03-07 00:07:19 +0000[diff] [blame]121 },
122 limits: {
Serge Bazanski64de7af2021-03-17 21:47:29 +0000[diff] [blame]123 cpu: "2",
124 memory: "8G",
Serge Bazanski793ca1b2021-03-07 00:07:19 +0000[diff] [blame]125 },
126 },
127
128 },
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]129 storage: {
130 useAllNodes: false,
131 useAllDevices: false,
132 config: {
133 databaseSizeMB: "1024",
134 journalSizeMB: "1024",
135 },
Serge Bazanski464fb042021-09-11 20:24:27 +0000[diff] [blame]136
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]137 nodes: [
138 {
139 name: "dcr01s22.hswaw.net",
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]140 devices: [
Serge Bazanski464fb042021-09-11 20:24:27 +0000[diff] [blame]141 { name: "/dev/disk/by-id/wwn-0x" + id }
142 for id in [
Serge Bazanski712a5dc2023-02-28 01:15:40 +0000[diff] [blame]143 "5000c5008508c433", # ST6000NM0034 Z4D40QZR0000R629ME1B
144 "5000c500850989cf", # ST6000NM0034 Z4D40JRL0000R63008A2
145 "5000c5008508baf7", # ST6000NM0034 Z4D40M380000R630V00M
146 "5000c5008508f843", # ST6000NM0034 Z4D40LGP0000R630UVTD
147 "5000c500850312cb", # ST6000NM0034 Z4D3ZAAX0000R629NW31
148 "5000c500850293e3", # ST6000NM0034 Z4D3Z5TD0000R629MF7P
149 "5000c5008508e3ef", # ST6000NM0034 Z4D40LM50000R630V0W3
150 "5000c5008508e23f", # ST6000NM0034 Z4D40QMX0000R629MD3C
Serge Bazanski464fb042021-09-11 20:24:27 +0000[diff] [blame]151 ]
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]152 ],
153 },
154 {
155 name: "dcr01s24.hswaw.net",
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]156 devices: [
Serge Bazanski464fb042021-09-11 20:24:27 +0000[diff] [blame]157 { name: "/dev/disk/by-id/wwn-0x" + id }
158 for id in [
Serge Bazanski7572f072023-03-10 20:54:35 +0100[diff] [blame]159 "5000c5008508c9ef", # ST6000NM0034 Z4D40LY40000R630UZCE
160 "5000c5008508df33", # ST6000NM0034 Z4D40QQ00000R629MB25
161 "5000c5008508dd3b", # ST6000NM0034 Z4D40QQJ0000R630RBY6
162 "5000c5008509199b", # ST6000NM0034 Z4D40QG10000R630V0X9
163 "5000c5008508ee03", # ST6000NM0034 Z4D40LHH0000R630UYP0
164 "5000c50085046abf", # ST6000NM0034 Z4D3ZF1B0000R629NV9P
165 "5000c5008502929b", # ST6000NM0034 Z4D3Z5WG0000R629MF14
Serge Bazanski464fb042021-09-11 20:24:27 +0000[diff] [blame]166 ]
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]167 ],
168 },
Serge Bazanski18c27ae2023-10-13 13:44:18 +0200[diff] [blame]169 {
170 name: "dcr03s16.hswaw.net",
171 devices: [
172 { name: "/dev/disk/by-id/wwn-0x" + id }
173 for id in [
174 "5000c5008508fb73", # ST6000NM0034 Z4D40LEF0000R630UX98
175 "5000c5008508c3a7", # ST6000NM0034 Z4D40LZV0000R630UY91
176 "5000c5008508d7bf", # ST6000NM0034 Z4D40LPT0000R629NXBF
177 "5000c5008502952f", # ST6000NM0034 Z4D3Z5RA0000R628P45F
178 "5000c5008502aa4b", # ST6000NM0034 Z4D3Z5A00000R630RU2T
179 "5000c5008508d677", # ST6000NM0034 Z4D40LQH0000R630QRAS
180 ]
181 ],
182 },
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]183 ],
184 },
185 benji:: {
186 metadataStorageClass: "waw-hdd-redundant-3",
187 encryptionPassword: std.split((importstr "../secrets/plain/k0-benji-encryption-password"), '\n')[0],
188 pools: [
189 "waw-hdd-redundant-3",
190 "waw-hdd-redundant-3-metadata",
191 "waw-hdd-yolo-3",
192 ],
193 s3Configuration: {
194 awsAccessKeyId: "RPYZIROFXNLQVU2WJ4R3",
195 awsSecretAccessKey: std.split((importstr "../secrets/plain/k0-benji-secret-access-key"), '\n')[0],
196 bucketName: "benji-k0-backups-waw3",
197 endpointUrl: "https://s3.eu-central-1.wasabisys.com/",
198 },
199 }
200 },
201 },
202 waw3Pools: {
203 // redundant block storage
204 blockRedundant: rook.ECBlockPool(k0.ceph.waw3, "waw-hdd-redundant-3") {
205 metadataReplicas: 2,
206 spec: {
207 failureDomain: "host",
208 replicated: {
209 size: 2,
210 },
211 },
212 },
Serge Bazanski242ec582020-09-20 15:36:11 +0000[diff] [blame]213 // q3k's personal pool, used externally from k8s.
214 q3kRedundant: rook.ECBlockPool(k0.ceph.waw3, "waw-hdd-redundant-q3k-3") {
215 metadataReplicas: 2,
216 spec: {
217 failureDomain: "host",
218 replicated: {
219 size: 2,
220 },
221 },
222 },
Serge Bazanski38f72fe2021-09-13 23:43:47 +0000[diff] [blame]223
224 object: {
225 local poolSpec = {
226 failureDomain: "host",
227 replicated: { size: 2 },
228 },
229
230 realm: rook.S3ObjectRealm(k0.ceph.waw3, "hscloud"),
231 zonegroup: rook.S3ObjectZoneGroup(self.realm, "eu"),
232 // This is serving at object.ceph-waw3.hswaw.net, but
233 // internally to Ceph it is known as
234 // waw-hdd-redundant-3-object (name of radosgw zone).
235 store: rook.S3ObjectStore(self.zonegroup, "waw-hdd-redundant-3-object") {
236 cfg+: {
237 // Override so that this radosgw serves on
238 // object.ceph-{waw3,eu}.hswaw.net instead of
239 // ceph-{waw-hdd-redundant-3-object,eu}.
240 domainParts: [
241 "waw3", "eu",
242 ],
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]243 },
Serge Bazanski38f72fe2021-09-13 23:43:47 +0000[diff] [blame]244 spec: {
245 metadataPool: poolSpec,
246 dataPool: poolSpec,
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]247 },
248 },
249 },
250 },
251
252 // Clients for S3/radosgw storage.
253 clients: {
Piotr Dobrowolskiba816552023-10-07 20:14:51 +0200[diff] [blame]254 local ObjectStoreUser(name) = kube.CephObjectStoreUser(name) {
255 metadata+: {
256 namespace: "ceph-waw3",
257 },
258 spec: {
259 store: "waw-hdd-redundant-3-object",
260 displayName: name,
261 },
262 },
263
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]264 # Used for owncloud.hackerspace.pl, which for now lives on boston-packets.hackerspace.pl.
Piotr Dobrowolskiba816552023-10-07 20:14:51 +0200[diff] [blame]265 nextcloudWaw3: ObjectStoreUser("nextcloud"),
Piotr Dobrowolski3b8a43f2021-02-01 21:19:48 +0100[diff] [blame]266 # issues.hackerspace.pl (redmine) attachments bucket
Piotr Dobrowolskiba816552023-10-07 20:14:51 +0200[diff] [blame]267 issuesWaw3: ObjectStoreUser("issues"),
Piotr Dobrowolskie839f952021-09-14 22:21:22 +0200[diff] [blame]268 # matrix.hackerspace.pl media storage bucket
Piotr Dobrowolskiba816552023-10-07 20:14:51 +0200[diff] [blame]269 matrixWaw3: ObjectStoreUser("matrix"),
Bartosz Stebel54a34b22022-03-05 23:20:56 +0100[diff] [blame]270 # tape staging temporary storage
Piotr Dobrowolskiba816552023-10-07 20:14:51 +0200[diff] [blame]271 tapeStaging: ObjectStoreUser("tape-staging"),
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]272
273 # nuke@hackerspace.pl's personal storage.
Piotr Dobrowolskiba816552023-10-07 20:14:51 +0200[diff] [blame]274 nukePersonalWaw3: ObjectStoreUser("nuke-personal"),
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]275
276 # patryk@hackerspace.pl's ArmA3 mod bucket.
Piotr Dobrowolskiba816552023-10-07 20:14:51 +0200[diff] [blame]277 cz2ArmaModsWaw3: ObjectStoreUser("cz2-arma3mods"),
278
Bartosz Stebel0156ab22023-02-20 21:33:33 +0100[diff] [blame]279 # implr's personal user
Piotr Dobrowolskiba816552023-10-07 20:14:51 +0200[diff] [blame]280 implrSparkWaw3: ObjectStoreUser("implr"),
281
Sergiusz Bazanskib1aadd82020-06-24 19:06:17 +0200[diff] [blame]282 # q3k's personal user
Piotr Dobrowolskiba816552023-10-07 20:14:51 +0200[diff] [blame]283 q3kWaw3: ObjectStoreUser("q3k"),
284
Serge Bazanskibfe9bb02020-10-27 20:50:50 +0100[diff] [blame]285 # woju's personal user
Piotr Dobrowolskiba816552023-10-07 20:14:51 +0200[diff] [blame]286 wojuWaw3: ObjectStoreUser("woju"),
287
Patryk Jakuszew34668a52020-11-28 13:45:25 +0100[diff] [blame]288 # cz3's (patryk@hackerspace.pl) personal user
Piotr Dobrowolskiba816552023-10-07 20:14:51 +0200[diff] [blame]289 cz3Waw3: ObjectStoreUser("cz3"),
290
Piotr Dobrowolskie839f952021-09-14 22:21:22 +0200[diff] [blame]291 # informatic's personal user
Piotr Dobrowolskiba816552023-10-07 20:14:51 +0200[diff] [blame]292 informaticWaw3: ObjectStoreUser("informatic"),
293
Serge Bazanski16842112022-11-17 19:30:05 +0000[diff] [blame]294 # mastodon qa and prod
295 mastodonWaw3: {
Piotr Dobrowolskiba816552023-10-07 20:14:51 +0200[diff] [blame]296 qa: ObjectStoreUser("mastodon-qa"),
297 prod: ObjectStoreUser("mastodon-prod"),
Serge Bazanski16842112022-11-17 19:30:05 +0000[diff] [blame]298 },
Piotr Dobrowolskiba816552023-10-07 20:14:51 +0200[diff] [blame]299
300 codehostingWaw3: ObjectStoreUser("codehosting"),
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]301 },
302 },
303
304
305 # These are policies allowing for Insecure pods in some namespaces.
306 # A lot of them are spurious and come from the fact that we deployed
307 # these namespaces before we deployed the draconian PodSecurityPolicy
308 # we have now. This should be fixed by setting up some more granular
309 # policies, or fixing the workloads to not need some of the permission
310 # bits they use, whatever those might be.
311 # TODO(q3k): fix this?
312 unnecessarilyInsecureNamespaces: [
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]313 policies.AllowNamespaceInsecure("ceph-waw3"),
314 policies.AllowNamespaceInsecure("matrix"),
315 policies.AllowNamespaceInsecure("registry"),
316 policies.AllowNamespaceInsecure("internet"),
317 # TODO(implr): restricted policy with CAP_NET_ADMIN and tuntap, but no full root
318 policies.AllowNamespaceInsecure("implr-vpn"),
Radek Pietruszewski934f7d32023-11-03 19:02:51 +0100[diff] [blame]319 // For SourceGraph's tini container mess.
320 policies.AllowNamespaceMostlySecure("sourcegraph"),
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]321 ],
Serge Bazanski3c5d8362021-02-06 17:27:02 +0000[diff] [blame]322
323 # Admission controller that permits non-privileged users to manage
324 # their namespaces without danger of hijacking important URLs.
325 admitomatic: admitomatic.Environment {
326 cfg+: {
327 proto: {
328 // Domains allowed in given namespaces. If a domain exists
329 // anywhere, ingresses will only be permitted to be created
330 // within namespaces in which it appears here. This works
331 // the same way for wildcards, if a wildcard exists in this
332 // list it blocks all unauthorized uses of that domain
333 // elsewhere.
334 //
335 // See //cluster/admitomatic for more information.
336 //
337 // Or, tl;dr:
338 //
339 // If you do a wildcard CNAME onto the k0 ingress, you
340 // should explicitly state *.your.name.com here.
341 //
342 // If you just want to protect your host from being
343 // hijacked by other cluster users, you should also state
344 // it here (either as a wildcard, or unary domains).
345 allow_domain: [
radexc2c66bf2023-08-17 14:28:32 +0200[diff] [blame]346 { namespace: "inventory", dns: "inventory.hackerspace.pl" },
radex3ca84542023-10-08 23:52:08 +0200[diff] [blame]347 { namespace: "capacifier", dns: "capacifier.hackerspace.pl" },
radexb8d4a8a2023-09-22 23:46:05 +0200[diff] [blame]348 { namespace: "ldapweb", dns: "profile.hackerspace.pl" },
radex3fdda9c2023-10-23 22:25:35 +0200[diff] [blame]349 { namespace: "walne", dns: "walne.hackerspace.pl" },
Serge Bazanski3c5d8362021-02-06 17:27:02 +0000[diff] [blame]350 { namespace: "devtools-prod", dns: "hackdoc.hackerspace.pl" },
351 { namespace: "devtools-prod", dns: "cs.hackerspace.pl" },
Radek Pietruszewski934f7d32023-11-03 19:02:51 +0100[diff] [blame]352 { namespace: "sourcegraph", dns: "cs.hackerspace.pl" },
Piotr Dobrowolskie4519b12023-10-07 21:13:02 +0200[diff] [blame]353 { namespace: "codehosting-prod", dns: "git.hackerspace.pl" },
354 { namespace: "codehosting-prod", dns: "code.hackerspace.pl" },
Serge Bazanski3c5d8362021-02-06 17:27:02 +0000[diff] [blame]355 { namespace: "engelsystem-prod", dns: "engelsystem.hackerspace.pl" },
356 { namespace: "gerrit", dns: "gerrit.hackerspace.pl" },
Serge Bazanski6e10e462023-10-08 12:29:55 +0000[diff] [blame]357 { namespace: "gerrit-qa", dns: "gerrit-qa.hackerspace.pl" },
Serge Bazanski3c5d8362021-02-06 17:27:02 +0000[diff] [blame]358 { namespace: "gitea-prod", dns: "gitea.hackerspace.pl" },
359 { namespace: "hswaw-prod", dns: "*.hackerspace.pl" },
Serge Bazanski99b91b12021-03-28 17:34:32 +0000[diff] [blame]360 { namespace: "hswaw-prod", dns: "*.hswaw.net" },
Serge Bazanski63ce4232023-10-09 23:41:15 +0000[diff] [blame]361 { namespace: "site", dns: "new.hackerspace.pl" },
Serge Bazanski3c5d8362021-02-06 17:27:02 +0000[diff] [blame]362 { namespace: "internet", dns: "internet.hackerspace.pl" },
363 { namespace: "matrix", dns: "matrix.hackerspace.pl" },
364 { namespace: "onlyoffice-prod", dns: "office.hackerspace.pl" },
Piotr Dobrowolski3b2a2a22023-01-05 08:26:02 +0100[diff] [blame]365 { namespace: "paperless", dns: "paperless.hackerspace.pl" },
Serge Bazanski3c5d8362021-02-06 17:27:02 +0000[diff] [blame]366 { namespace: "redmine", dns: "issues.hackerspace.pl" },
Serge Bazanski877cf0a2021-02-08 00:34:34 +0100[diff] [blame]367 { namespace: "redmine", dns: "b.hackerspace.pl" },
368 { namespace: "redmine", dns: "b.hswaw.net" },
369 { namespace: "redmine", dns: "xn--137h.hackerspace.pl" },
370 { namespace: "redmine", dns: "xn--137h.hswaw.net" },
Serge Bazanski3c5d8362021-02-06 17:27:02 +0000[diff] [blame]371 { namespace: "speedtest", dns: "speedtest.hackerspace.pl" },
372 { namespace: "sso", dns: "sso.hackerspace.pl" },
Serge Bazanski16842112022-11-17 19:30:05 +0000[diff] [blame]373 { namespace: "mastodon-hackerspace-qa", dns: "social-qa-2.hackerspace.pl" },
374 { namespace: "mastodon-hackerspace-prod", dns: "social.hackerspace.pl" },
Serge Bazanski3c5d8362021-02-06 17:27:02 +0000[diff] [blame]375
radexe36beba2023-10-11 00:41:48 +0200[diff] [blame]376 // auto-namespaced domains, i.e:
377 // USER.hscloud.ovh is allowed for personal-USER namespace
378 // *.USER.hscloud.ovh is allowed for personal-USER namespace
379 { namespace: "personal-$2", dns: "(.*\\.)?([^.]+)\\.hscloud\\.ovh", regexp: true },
380
381 // cluster infra
Serge Bazanski3c5d8362021-02-06 17:27:02 +0000[diff] [blame]382 { namespace: "ceph-waw3", dns: "ceph-waw3.hswaw.net" },
383 { namespace: "ceph-waw3", dns: "object.ceph-waw3.hswaw.net" },
Serge Bazanski38f72fe2021-09-13 23:43:47 +0000[diff] [blame]384 { namespace: "ceph-waw3", dns: "object.ceph-eu.hswaw.net" },
Serge Bazanski3c5d8362021-02-06 17:27:02 +0000[diff] [blame]385 { namespace: "monitoring-global-k0", dns: "*.hswaw.net" },
386 { namespace: "registry", dns: "*.hswaw.net" },
387
radexe36beba2023-10-11 00:41:48 +0200[diff] [blame]388 // personal namespaces
Serge Bazanski3c5d8362021-02-06 17:27:02 +0000[diff] [blame]389 { namespace: "q3k", dns: "*.q3k.org" },
390 { namespace: "personal-q3k", dns: "*.q3k.org" },
radexe36beba2023-10-11 00:41:48 +0200[diff] [blame]391 { namespace: "personal-radex", dns: "hs.radex.io" },
392 { namespace: "personal-radex", dns: "*.hs.radex.io" },
Serge Bazanski3c5d8362021-02-06 17:27:02 +0000[diff] [blame]393 ],
Serge Bazanskic1f37252023-06-19 21:56:29 +0000[diff] [blame]394
395 anything_goes_namespace: [
396 // sourcegraph ingress wants a config snippet to set a header.
397 "devtools-prod",
Radek Pietruszewski934f7d32023-11-03 19:02:51 +0100[diff] [blame]398 "sourcegraph",
Serge Bazanskic1f37252023-06-19 21:56:29 +0000[diff] [blame]399 ],
Serge Bazanski3c5d8362021-02-06 17:27:02 +0000[diff] [blame]400 },
401 },
402 },
radex0776a792023-10-10 00:02:29 +0200[diff] [blame]403
404 // Configuration of RoleBindings
405 admins: admins.NamespaceAdmins {
406 // Cluster staff have full access to all namespaces
407 // To give non-staff users admin access scoped to a given namespace,
408 // add them to the list below.
409 // (system:admin-namespace role is given to <user>@hackerspace.pl)
410 namespaces:: {
411 "inventory": [
412 "radex",
413 "palid",
414 ],
radex3fdda9c2023-10-23 22:25:35 +0200[diff] [blame]415 "walne": [
416 "radex",
417 "palid",
418 ],
radex0776a792023-10-10 00:02:29 +0200[diff] [blame]419 "site": [
420 "ar",
421 "radex",
422 ],
423 "valheim": [
424 "patryk",
425 "palid",
426 ],
427 "matrix-0x3c": [
428 "not7cd",
429 ],
430 "hswaw-prod": [
431 "ar",
432 "radex",
433 ],
434 "ldapweb": [
435 "radex",
436 ],
Radek Pietruszewskia6592b82023-10-30 20:27:25 +0100[diff] [blame]437 "devtools-prod": [
438 "radex",
439 ],
440 "depotview": [
441 "radex",
442 ],
443 "hackdoc": [
444 "radex",
445 ],
446 "sourcegraph": [
447 "radex",
448 ],
449 "speedtest": [
450 "radex",
451 ],
452 "internet": [
453 "radex",
454 ],
455 "cebulacamp": [
456 "radex",
457 ],
458 "teleimg": [
459 "radex",
460 ],
461 "pretalx": [
462 "radex",
463 ],
radex0776a792023-10-10 00:02:29 +0200[diff] [blame]464 }
465 }
Sergiusz Bazanskidbfa9882020-06-06 01:21:45 +0200[diff] [blame]466 },
467}