Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 1 | // k0.hswaw.net kubernetes cluster |
| 2 | // This defines the cluster as a single object. |
| 3 | // Use the sibling k0*.jsonnet 'view' files to actually apply the configuration. |
| 4 | |
| 5 | local kube = import "../../kube/kube.libsonnet"; |
| 6 | local policies = import "../../kube/policies.libsonnet"; |
| 7 | |
| 8 | local cluster = import "cluster.libsonnet"; |
| 9 | |
Serge Bazanski | 3c5d836 | 2021-02-06 17:27:02 +0000 | [diff] [blame] | 10 | local admitomatic = import "lib/admitomatic.libsonnet"; |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 11 | local cockroachdb = import "lib/cockroachdb.libsonnet"; |
| 12 | local registry = import "lib/registry.libsonnet"; |
| 13 | local rook = import "lib/rook.libsonnet"; |
radex | 0776a79 | 2023-10-10 00:02:29 +0200 | [diff] [blame] | 14 | local admins = import "lib/admins.libsonnet"; |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 15 | |
| 16 | { |
| 17 | k0: { |
| 18 | local k0 = self, |
| 19 | cluster: cluster.Cluster("k0", "hswaw.net") { |
| 20 | cfg+: { |
Serge Bazanski | 3d29484 | 2020-08-04 01:34:07 +0200 | [diff] [blame] | 21 | storageClassNameParanoid: k0.ceph.waw3Pools.blockRedundant.name, |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 22 | }, |
| 23 | metallb+: { |
| 24 | cfg+: { |
Serge Bazanski | a5ed644 | 2020-09-20 22:52:57 +0000 | [diff] [blame] | 25 | // Peer with calico running on same node. |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 26 | peers: [ |
| 27 | { |
Serge Bazanski | a5ed644 | 2020-09-20 22:52:57 +0000 | [diff] [blame] | 28 | "peer-address": "127.0.0.1", |
| 29 | "peer-asn": 65003, |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 30 | "my-asn": 65002, |
| 31 | }, |
| 32 | ], |
Serge Bazanski | a5ed644 | 2020-09-20 22:52:57 +0000 | [diff] [blame] | 33 | // Public IP address pools. Keep in sync with k0.calico.yaml. |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 34 | addressPools: [ |
| 35 | { |
| 36 | name: "public-v4-1", |
| 37 | protocol: "bgp", |
| 38 | addresses: [ |
| 39 | "185.236.240.48/28", |
| 40 | ], |
| 41 | }, |
| 42 | { |
| 43 | name: "public-v4-2", |
| 44 | protocol: "bgp", |
| 45 | addresses: [ |
| 46 | "185.236.240.112/28" |
| 47 | ], |
| 48 | }, |
| 49 | ], |
| 50 | }, |
| 51 | }, |
| 52 | }, |
| 53 | |
| 54 | // Docker registry |
| 55 | registry: registry.Environment { |
| 56 | cfg+: { |
| 57 | domain: "registry.%s" % [k0.cluster.fqdn], |
| 58 | storageClassName: k0.cluster.cfg.storageClassNameParanoid, |
Serge Bazanski | 3d29484 | 2020-08-04 01:34:07 +0200 | [diff] [blame] | 59 | objectStorageName: "waw-hdd-redundant-3-object", |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 60 | }, |
| 61 | }, |
| 62 | |
| 63 | // CockroachDB, running on bc01n{01,02,03}. |
| 64 | cockroach: { |
| 65 | waw2: cockroachdb.Cluster("crdb-waw1") { |
| 66 | cfg+: { |
| 67 | topology: [ |
Patryk Jakuszew | edf14cc | 2021-01-23 23:00:29 +0100 | [diff] [blame] | 68 | { name: "dcr01s22", node: "dcr01s22.hswaw.net" }, |
Serge Bazanski | bdd403c | 2021-10-28 23:37:38 +0000 | [diff] [blame] | 69 | { name: "dcr01s24", node: "dcr01s24.hswaw.net" }, |
Serge Bazanski | 6534969 | 2023-10-09 20:26:30 +0000 | [diff] [blame] | 70 | { name: "dcr03s16", node: "dcr03s16.hswaw.net" }, |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 71 | ], |
| 72 | // Host path on SSD. |
| 73 | hostPath: "/var/db/crdb-waw1", |
Serge Bazanski | 509ab6e | 2020-07-30 22:43:20 +0200 | [diff] [blame] | 74 | extraDNS: [ |
| 75 | "crdb-waw1.hswaw.net", |
| 76 | ], |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 77 | }, |
Serge Bazanski | bdd403c | 2021-10-28 23:37:38 +0000 | [diff] [blame] | 78 | initJob:: null, |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 79 | }, |
| 80 | clients: { |
| 81 | cccampix: k0.cockroach.waw2.Client("cccampix"), |
| 82 | cccampixDev: k0.cockroach.waw2.Client("cccampix-dev"), |
| 83 | buglessDev: k0.cockroach.waw2.Client("bugless-dev"), |
| 84 | sso: k0.cockroach.waw2.Client("sso"), |
Serge Bazanski | 509ab6e | 2020-07-30 22:43:20 +0200 | [diff] [blame] | 85 | herpDev: k0.cockroach.waw2.Client("herp-dev"), |
Patryk Jakuszew | f315388 | 2021-01-23 15:38:50 +0100 | [diff] [blame] | 86 | gitea: k0.cockroach.waw2.Client("gitea"), |
Piotr Dobrowolski | f4a6a56 | 2021-02-01 21:32:25 +0100 | [diff] [blame] | 87 | issues: k0.cockroach.waw2.Client("issues"), |
Serge Bazanski | bf266c6 | 2021-03-17 21:48:58 +0000 | [diff] [blame] | 88 | dns: k0.cockroach.waw2.Client("dns"), |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 89 | }, |
| 90 | }, |
| 91 | |
| 92 | ceph: { |
| 93 | // waw1 cluster - dead as of 2019/08/06, data corruption |
Serge Bazanski | 61f978a | 2021-01-22 16:26:07 +0100 | [diff] [blame] | 94 | // waw2 cluster - dead as of 2021/01/22, torn down (horrible M610 RAID controllers are horrible) |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 95 | |
Serge Bazanski | 464fb04 | 2021-09-11 20:24:27 +0000 | [diff] [blame] | 96 | // waw3: 6TB SAS 3.5" HDDs, internal Rook cluster. |
| 97 | // |
| 98 | // Suffers from rook going apeshit and nuking all mons if enough of |
| 99 | // a control plane is up for rook to run but if nodes are |
| 100 | // unavailable to the point of it deciding that no mon exists and |
| 101 | // it should create some new ones, fully nuking the monmap and |
| 102 | // making recovery a pain. |
| 103 | // |
| 104 | // Supposedly new versions of Rook slowly fix these issues, but q3k |
| 105 | // doesn't personally trust this codebase anymore. He'd rather |
| 106 | // manage the actual Ceph cluster myself, we don't need all of this |
| 107 | // magic. |
| 108 | // |
| 109 | // See: b.hswaw.net/6 |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 110 | waw3: rook.Cluster(k0.cluster.rook, "ceph-waw3") { |
| 111 | spec: { |
| 112 | mon: { |
Serge Bazanski | 1684211 | 2022-11-17 19:30:05 +0000 | [diff] [blame] | 113 | count: 3, |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 114 | allowMultiplePerNode: false, |
| 115 | }, |
Serge Bazanski | 793ca1b | 2021-03-07 00:07:19 +0000 | [diff] [blame] | 116 | resources: { |
| 117 | osd: { |
| 118 | requests: { |
Serge Bazanski | 64de7af | 2021-03-17 21:47:29 +0000 | [diff] [blame] | 119 | cpu: "2", |
| 120 | memory: "6G", |
Serge Bazanski | 793ca1b | 2021-03-07 00:07:19 +0000 | [diff] [blame] | 121 | }, |
| 122 | limits: { |
Serge Bazanski | 64de7af | 2021-03-17 21:47:29 +0000 | [diff] [blame] | 123 | cpu: "2", |
| 124 | memory: "8G", |
Serge Bazanski | 793ca1b | 2021-03-07 00:07:19 +0000 | [diff] [blame] | 125 | }, |
| 126 | }, |
| 127 | |
| 128 | }, |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 129 | storage: { |
| 130 | useAllNodes: false, |
| 131 | useAllDevices: false, |
| 132 | config: { |
| 133 | databaseSizeMB: "1024", |
| 134 | journalSizeMB: "1024", |
| 135 | }, |
Serge Bazanski | 464fb04 | 2021-09-11 20:24:27 +0000 | [diff] [blame] | 136 | |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 137 | nodes: [ |
| 138 | { |
| 139 | name: "dcr01s22.hswaw.net", |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 140 | devices: [ |
Serge Bazanski | 464fb04 | 2021-09-11 20:24:27 +0000 | [diff] [blame] | 141 | { name: "/dev/disk/by-id/wwn-0x" + id } |
| 142 | for id in [ |
Serge Bazanski | 712a5dc | 2023-02-28 01:15:40 +0000 | [diff] [blame] | 143 | "5000c5008508c433", # ST6000NM0034 Z4D40QZR0000R629ME1B |
| 144 | "5000c500850989cf", # ST6000NM0034 Z4D40JRL0000R63008A2 |
| 145 | "5000c5008508baf7", # ST6000NM0034 Z4D40M380000R630V00M |
| 146 | "5000c5008508f843", # ST6000NM0034 Z4D40LGP0000R630UVTD |
| 147 | "5000c500850312cb", # ST6000NM0034 Z4D3ZAAX0000R629NW31 |
| 148 | "5000c500850293e3", # ST6000NM0034 Z4D3Z5TD0000R629MF7P |
| 149 | "5000c5008508e3ef", # ST6000NM0034 Z4D40LM50000R630V0W3 |
| 150 | "5000c5008508e23f", # ST6000NM0034 Z4D40QMX0000R629MD3C |
Serge Bazanski | 464fb04 | 2021-09-11 20:24:27 +0000 | [diff] [blame] | 151 | ] |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 152 | ], |
| 153 | }, |
| 154 | { |
| 155 | name: "dcr01s24.hswaw.net", |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 156 | devices: [ |
Serge Bazanski | 464fb04 | 2021-09-11 20:24:27 +0000 | [diff] [blame] | 157 | { name: "/dev/disk/by-id/wwn-0x" + id } |
| 158 | for id in [ |
Serge Bazanski | 7572f07 | 2023-03-10 20:54:35 +0100 | [diff] [blame] | 159 | "5000c5008508c9ef", # ST6000NM0034 Z4D40LY40000R630UZCE |
| 160 | "5000c5008508df33", # ST6000NM0034 Z4D40QQ00000R629MB25 |
| 161 | "5000c5008508dd3b", # ST6000NM0034 Z4D40QQJ0000R630RBY6 |
| 162 | "5000c5008509199b", # ST6000NM0034 Z4D40QG10000R630V0X9 |
| 163 | "5000c5008508ee03", # ST6000NM0034 Z4D40LHH0000R630UYP0 |
| 164 | "5000c50085046abf", # ST6000NM0034 Z4D3ZF1B0000R629NV9P |
| 165 | "5000c5008502929b", # ST6000NM0034 Z4D3Z5WG0000R629MF14 |
Serge Bazanski | 464fb04 | 2021-09-11 20:24:27 +0000 | [diff] [blame] | 166 | ] |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 167 | ], |
| 168 | }, |
Serge Bazanski | 18c27ae | 2023-10-13 13:44:18 +0200 | [diff] [blame] | 169 | { |
| 170 | name: "dcr03s16.hswaw.net", |
| 171 | devices: [ |
| 172 | { name: "/dev/disk/by-id/wwn-0x" + id } |
| 173 | for id in [ |
| 174 | "5000c5008508fb73", # ST6000NM0034 Z4D40LEF0000R630UX98 |
| 175 | "5000c5008508c3a7", # ST6000NM0034 Z4D40LZV0000R630UY91 |
| 176 | "5000c5008508d7bf", # ST6000NM0034 Z4D40LPT0000R629NXBF |
| 177 | "5000c5008502952f", # ST6000NM0034 Z4D3Z5RA0000R628P45F |
| 178 | "5000c5008502aa4b", # ST6000NM0034 Z4D3Z5A00000R630RU2T |
| 179 | "5000c5008508d677", # ST6000NM0034 Z4D40LQH0000R630QRAS |
| 180 | ] |
| 181 | ], |
| 182 | }, |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 183 | ], |
| 184 | }, |
| 185 | benji:: { |
| 186 | metadataStorageClass: "waw-hdd-redundant-3", |
| 187 | encryptionPassword: std.split((importstr "../secrets/plain/k0-benji-encryption-password"), '\n')[0], |
| 188 | pools: [ |
| 189 | "waw-hdd-redundant-3", |
| 190 | "waw-hdd-redundant-3-metadata", |
| 191 | "waw-hdd-yolo-3", |
| 192 | ], |
| 193 | s3Configuration: { |
| 194 | awsAccessKeyId: "RPYZIROFXNLQVU2WJ4R3", |
| 195 | awsSecretAccessKey: std.split((importstr "../secrets/plain/k0-benji-secret-access-key"), '\n')[0], |
| 196 | bucketName: "benji-k0-backups-waw3", |
| 197 | endpointUrl: "https://s3.eu-central-1.wasabisys.com/", |
| 198 | }, |
| 199 | } |
| 200 | }, |
| 201 | }, |
| 202 | waw3Pools: { |
| 203 | // redundant block storage |
| 204 | blockRedundant: rook.ECBlockPool(k0.ceph.waw3, "waw-hdd-redundant-3") { |
| 205 | metadataReplicas: 2, |
| 206 | spec: { |
| 207 | failureDomain: "host", |
| 208 | replicated: { |
| 209 | size: 2, |
| 210 | }, |
| 211 | }, |
| 212 | }, |
Serge Bazanski | 242ec58 | 2020-09-20 15:36:11 +0000 | [diff] [blame] | 213 | // q3k's personal pool, used externally from k8s. |
| 214 | q3kRedundant: rook.ECBlockPool(k0.ceph.waw3, "waw-hdd-redundant-q3k-3") { |
| 215 | metadataReplicas: 2, |
| 216 | spec: { |
| 217 | failureDomain: "host", |
| 218 | replicated: { |
| 219 | size: 2, |
| 220 | }, |
| 221 | }, |
| 222 | }, |
Serge Bazanski | 38f72fe | 2021-09-13 23:43:47 +0000 | [diff] [blame] | 223 | |
| 224 | object: { |
| 225 | local poolSpec = { |
| 226 | failureDomain: "host", |
| 227 | replicated: { size: 2 }, |
| 228 | }, |
| 229 | |
| 230 | realm: rook.S3ObjectRealm(k0.ceph.waw3, "hscloud"), |
| 231 | zonegroup: rook.S3ObjectZoneGroup(self.realm, "eu"), |
| 232 | // This is serving at object.ceph-waw3.hswaw.net, but |
| 233 | // internally to Ceph it is known as |
| 234 | // waw-hdd-redundant-3-object (name of radosgw zone). |
| 235 | store: rook.S3ObjectStore(self.zonegroup, "waw-hdd-redundant-3-object") { |
| 236 | cfg+: { |
| 237 | // Override so that this radosgw serves on |
| 238 | // object.ceph-{waw3,eu}.hswaw.net instead of |
| 239 | // ceph-{waw-hdd-redundant-3-object,eu}. |
| 240 | domainParts: [ |
| 241 | "waw3", "eu", |
| 242 | ], |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 243 | }, |
Serge Bazanski | 38f72fe | 2021-09-13 23:43:47 +0000 | [diff] [blame] | 244 | spec: { |
| 245 | metadataPool: poolSpec, |
| 246 | dataPool: poolSpec, |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 247 | }, |
| 248 | }, |
| 249 | }, |
| 250 | }, |
| 251 | |
| 252 | // Clients for S3/radosgw storage. |
| 253 | clients: { |
Piotr Dobrowolski | ba81655 | 2023-10-07 20:14:51 +0200 | [diff] [blame] | 254 | local ObjectStoreUser(name) = kube.CephObjectStoreUser(name) { |
| 255 | metadata+: { |
| 256 | namespace: "ceph-waw3", |
| 257 | }, |
| 258 | spec: { |
| 259 | store: "waw-hdd-redundant-3-object", |
| 260 | displayName: name, |
| 261 | }, |
| 262 | }, |
| 263 | |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 264 | # Used for owncloud.hackerspace.pl, which for now lives on boston-packets.hackerspace.pl. |
Piotr Dobrowolski | ba81655 | 2023-10-07 20:14:51 +0200 | [diff] [blame] | 265 | nextcloudWaw3: ObjectStoreUser("nextcloud"), |
Piotr Dobrowolski | 3b8a43f | 2021-02-01 21:19:48 +0100 | [diff] [blame] | 266 | # issues.hackerspace.pl (redmine) attachments bucket |
Piotr Dobrowolski | ba81655 | 2023-10-07 20:14:51 +0200 | [diff] [blame] | 267 | issuesWaw3: ObjectStoreUser("issues"), |
Piotr Dobrowolski | e839f95 | 2021-09-14 22:21:22 +0200 | [diff] [blame] | 268 | # matrix.hackerspace.pl media storage bucket |
Piotr Dobrowolski | ba81655 | 2023-10-07 20:14:51 +0200 | [diff] [blame] | 269 | matrixWaw3: ObjectStoreUser("matrix"), |
Bartosz Stebel | 54a34b2 | 2022-03-05 23:20:56 +0100 | [diff] [blame] | 270 | # tape staging temporary storage |
Piotr Dobrowolski | ba81655 | 2023-10-07 20:14:51 +0200 | [diff] [blame] | 271 | tapeStaging: ObjectStoreUser("tape-staging"), |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 272 | |
| 273 | # nuke@hackerspace.pl's personal storage. |
Piotr Dobrowolski | ba81655 | 2023-10-07 20:14:51 +0200 | [diff] [blame] | 274 | nukePersonalWaw3: ObjectStoreUser("nuke-personal"), |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 275 | |
| 276 | # patryk@hackerspace.pl's ArmA3 mod bucket. |
Piotr Dobrowolski | ba81655 | 2023-10-07 20:14:51 +0200 | [diff] [blame] | 277 | cz2ArmaModsWaw3: ObjectStoreUser("cz2-arma3mods"), |
| 278 | |
Bartosz Stebel | 0156ab2 | 2023-02-20 21:33:33 +0100 | [diff] [blame] | 279 | # implr's personal user |
Piotr Dobrowolski | ba81655 | 2023-10-07 20:14:51 +0200 | [diff] [blame] | 280 | implrSparkWaw3: ObjectStoreUser("implr"), |
| 281 | |
Sergiusz Bazanski | b1aadd8 | 2020-06-24 19:06:17 +0200 | [diff] [blame] | 282 | # q3k's personal user |
Piotr Dobrowolski | ba81655 | 2023-10-07 20:14:51 +0200 | [diff] [blame] | 283 | q3kWaw3: ObjectStoreUser("q3k"), |
| 284 | |
Serge Bazanski | bfe9bb0 | 2020-10-27 20:50:50 +0100 | [diff] [blame] | 285 | # woju's personal user |
Piotr Dobrowolski | ba81655 | 2023-10-07 20:14:51 +0200 | [diff] [blame] | 286 | wojuWaw3: ObjectStoreUser("woju"), |
| 287 | |
Patryk Jakuszew | 34668a5 | 2020-11-28 13:45:25 +0100 | [diff] [blame] | 288 | # cz3's (patryk@hackerspace.pl) personal user |
Piotr Dobrowolski | ba81655 | 2023-10-07 20:14:51 +0200 | [diff] [blame] | 289 | cz3Waw3: ObjectStoreUser("cz3"), |
| 290 | |
Piotr Dobrowolski | e839f95 | 2021-09-14 22:21:22 +0200 | [diff] [blame] | 291 | # informatic's personal user |
Piotr Dobrowolski | ba81655 | 2023-10-07 20:14:51 +0200 | [diff] [blame] | 292 | informaticWaw3: ObjectStoreUser("informatic"), |
| 293 | |
Serge Bazanski | 1684211 | 2022-11-17 19:30:05 +0000 | [diff] [blame] | 294 | # mastodon qa and prod |
| 295 | mastodonWaw3: { |
Piotr Dobrowolski | ba81655 | 2023-10-07 20:14:51 +0200 | [diff] [blame] | 296 | qa: ObjectStoreUser("mastodon-qa"), |
| 297 | prod: ObjectStoreUser("mastodon-prod"), |
Serge Bazanski | 1684211 | 2022-11-17 19:30:05 +0000 | [diff] [blame] | 298 | }, |
Piotr Dobrowolski | ba81655 | 2023-10-07 20:14:51 +0200 | [diff] [blame] | 299 | |
| 300 | codehostingWaw3: ObjectStoreUser("codehosting"), |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 301 | }, |
| 302 | }, |
| 303 | |
| 304 | |
| 305 | # These are policies allowing for Insecure pods in some namespaces. |
| 306 | # A lot of them are spurious and come from the fact that we deployed |
| 307 | # these namespaces before we deployed the draconian PodSecurityPolicy |
| 308 | # we have now. This should be fixed by setting up some more granular |
| 309 | # policies, or fixing the workloads to not need some of the permission |
| 310 | # bits they use, whatever those might be. |
| 311 | # TODO(q3k): fix this? |
| 312 | unnecessarilyInsecureNamespaces: [ |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 313 | policies.AllowNamespaceInsecure("ceph-waw3"), |
| 314 | policies.AllowNamespaceInsecure("matrix"), |
| 315 | policies.AllowNamespaceInsecure("registry"), |
| 316 | policies.AllowNamespaceInsecure("internet"), |
| 317 | # TODO(implr): restricted policy with CAP_NET_ADMIN and tuntap, but no full root |
| 318 | policies.AllowNamespaceInsecure("implr-vpn"), |
Radek Pietruszewski | 934f7d3 | 2023-11-03 19:02:51 +0100 | [diff] [blame] | 319 | // For SourceGraph's tini container mess. |
| 320 | policies.AllowNamespaceMostlySecure("sourcegraph"), |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 321 | ], |
Serge Bazanski | 3c5d836 | 2021-02-06 17:27:02 +0000 | [diff] [blame] | 322 | |
| 323 | # Admission controller that permits non-privileged users to manage |
| 324 | # their namespaces without danger of hijacking important URLs. |
| 325 | admitomatic: admitomatic.Environment { |
| 326 | cfg+: { |
| 327 | proto: { |
| 328 | // Domains allowed in given namespaces. If a domain exists |
| 329 | // anywhere, ingresses will only be permitted to be created |
| 330 | // within namespaces in which it appears here. This works |
| 331 | // the same way for wildcards, if a wildcard exists in this |
| 332 | // list it blocks all unauthorized uses of that domain |
| 333 | // elsewhere. |
| 334 | // |
| 335 | // See //cluster/admitomatic for more information. |
| 336 | // |
| 337 | // Or, tl;dr: |
| 338 | // |
| 339 | // If you do a wildcard CNAME onto the k0 ingress, you |
| 340 | // should explicitly state *.your.name.com here. |
| 341 | // |
| 342 | // If you just want to protect your host from being |
| 343 | // hijacked by other cluster users, you should also state |
| 344 | // it here (either as a wildcard, or unary domains). |
| 345 | allow_domain: [ |
radex | c2c66bf | 2023-08-17 14:28:32 +0200 | [diff] [blame] | 346 | { namespace: "inventory", dns: "inventory.hackerspace.pl" }, |
radex | 3ca8454 | 2023-10-08 23:52:08 +0200 | [diff] [blame] | 347 | { namespace: "capacifier", dns: "capacifier.hackerspace.pl" }, |
radex | b8d4a8a | 2023-09-22 23:46:05 +0200 | [diff] [blame] | 348 | { namespace: "ldapweb", dns: "profile.hackerspace.pl" }, |
radex | 3fdda9c | 2023-10-23 22:25:35 +0200 | [diff] [blame] | 349 | { namespace: "walne", dns: "walne.hackerspace.pl" }, |
Serge Bazanski | 3c5d836 | 2021-02-06 17:27:02 +0000 | [diff] [blame] | 350 | { namespace: "devtools-prod", dns: "hackdoc.hackerspace.pl" }, |
| 351 | { namespace: "devtools-prod", dns: "cs.hackerspace.pl" }, |
Radek Pietruszewski | 934f7d3 | 2023-11-03 19:02:51 +0100 | [diff] [blame] | 352 | { namespace: "sourcegraph", dns: "cs.hackerspace.pl" }, |
Piotr Dobrowolski | e4519b1 | 2023-10-07 21:13:02 +0200 | [diff] [blame] | 353 | { namespace: "codehosting-prod", dns: "git.hackerspace.pl" }, |
| 354 | { namespace: "codehosting-prod", dns: "code.hackerspace.pl" }, |
Serge Bazanski | 3c5d836 | 2021-02-06 17:27:02 +0000 | [diff] [blame] | 355 | { namespace: "engelsystem-prod", dns: "engelsystem.hackerspace.pl" }, |
| 356 | { namespace: "gerrit", dns: "gerrit.hackerspace.pl" }, |
Serge Bazanski | 6e10e46 | 2023-10-08 12:29:55 +0000 | [diff] [blame] | 357 | { namespace: "gerrit-qa", dns: "gerrit-qa.hackerspace.pl" }, |
Serge Bazanski | 3c5d836 | 2021-02-06 17:27:02 +0000 | [diff] [blame] | 358 | { namespace: "gitea-prod", dns: "gitea.hackerspace.pl" }, |
| 359 | { namespace: "hswaw-prod", dns: "*.hackerspace.pl" }, |
Serge Bazanski | 99b91b1 | 2021-03-28 17:34:32 +0000 | [diff] [blame] | 360 | { namespace: "hswaw-prod", dns: "*.hswaw.net" }, |
Serge Bazanski | 63ce423 | 2023-10-09 23:41:15 +0000 | [diff] [blame] | 361 | { namespace: "site", dns: "new.hackerspace.pl" }, |
Serge Bazanski | 3c5d836 | 2021-02-06 17:27:02 +0000 | [diff] [blame] | 362 | { namespace: "internet", dns: "internet.hackerspace.pl" }, |
| 363 | { namespace: "matrix", dns: "matrix.hackerspace.pl" }, |
| 364 | { namespace: "onlyoffice-prod", dns: "office.hackerspace.pl" }, |
Piotr Dobrowolski | 3b2a2a2 | 2023-01-05 08:26:02 +0100 | [diff] [blame] | 365 | { namespace: "paperless", dns: "paperless.hackerspace.pl" }, |
Serge Bazanski | 3c5d836 | 2021-02-06 17:27:02 +0000 | [diff] [blame] | 366 | { namespace: "redmine", dns: "issues.hackerspace.pl" }, |
Serge Bazanski | 877cf0a | 2021-02-08 00:34:34 +0100 | [diff] [blame] | 367 | { namespace: "redmine", dns: "b.hackerspace.pl" }, |
| 368 | { namespace: "redmine", dns: "b.hswaw.net" }, |
| 369 | { namespace: "redmine", dns: "xn--137h.hackerspace.pl" }, |
| 370 | { namespace: "redmine", dns: "xn--137h.hswaw.net" }, |
Serge Bazanski | 3c5d836 | 2021-02-06 17:27:02 +0000 | [diff] [blame] | 371 | { namespace: "speedtest", dns: "speedtest.hackerspace.pl" }, |
| 372 | { namespace: "sso", dns: "sso.hackerspace.pl" }, |
Serge Bazanski | 1684211 | 2022-11-17 19:30:05 +0000 | [diff] [blame] | 373 | { namespace: "mastodon-hackerspace-qa", dns: "social-qa-2.hackerspace.pl" }, |
| 374 | { namespace: "mastodon-hackerspace-prod", dns: "social.hackerspace.pl" }, |
Serge Bazanski | 3c5d836 | 2021-02-06 17:27:02 +0000 | [diff] [blame] | 375 | |
radex | e36beba | 2023-10-11 00:41:48 +0200 | [diff] [blame] | 376 | // auto-namespaced domains, i.e: |
| 377 | // USER.hscloud.ovh is allowed for personal-USER namespace |
| 378 | // *.USER.hscloud.ovh is allowed for personal-USER namespace |
| 379 | { namespace: "personal-$2", dns: "(.*\\.)?([^.]+)\\.hscloud\\.ovh", regexp: true }, |
| 380 | |
| 381 | // cluster infra |
Serge Bazanski | 3c5d836 | 2021-02-06 17:27:02 +0000 | [diff] [blame] | 382 | { namespace: "ceph-waw3", dns: "ceph-waw3.hswaw.net" }, |
| 383 | { namespace: "ceph-waw3", dns: "object.ceph-waw3.hswaw.net" }, |
Serge Bazanski | 38f72fe | 2021-09-13 23:43:47 +0000 | [diff] [blame] | 384 | { namespace: "ceph-waw3", dns: "object.ceph-eu.hswaw.net" }, |
Serge Bazanski | 3c5d836 | 2021-02-06 17:27:02 +0000 | [diff] [blame] | 385 | { namespace: "monitoring-global-k0", dns: "*.hswaw.net" }, |
| 386 | { namespace: "registry", dns: "*.hswaw.net" }, |
| 387 | |
radex | e36beba | 2023-10-11 00:41:48 +0200 | [diff] [blame] | 388 | // personal namespaces |
Serge Bazanski | 3c5d836 | 2021-02-06 17:27:02 +0000 | [diff] [blame] | 389 | { namespace: "q3k", dns: "*.q3k.org" }, |
| 390 | { namespace: "personal-q3k", dns: "*.q3k.org" }, |
radex | e36beba | 2023-10-11 00:41:48 +0200 | [diff] [blame] | 391 | { namespace: "personal-radex", dns: "hs.radex.io" }, |
| 392 | { namespace: "personal-radex", dns: "*.hs.radex.io" }, |
Serge Bazanski | 3c5d836 | 2021-02-06 17:27:02 +0000 | [diff] [blame] | 393 | ], |
Serge Bazanski | c1f3725 | 2023-06-19 21:56:29 +0000 | [diff] [blame] | 394 | |
| 395 | anything_goes_namespace: [ |
| 396 | // sourcegraph ingress wants a config snippet to set a header. |
| 397 | "devtools-prod", |
Radek Pietruszewski | 934f7d3 | 2023-11-03 19:02:51 +0100 | [diff] [blame] | 398 | "sourcegraph", |
Serge Bazanski | c1f3725 | 2023-06-19 21:56:29 +0000 | [diff] [blame] | 399 | ], |
Serge Bazanski | 3c5d836 | 2021-02-06 17:27:02 +0000 | [diff] [blame] | 400 | }, |
| 401 | }, |
| 402 | }, |
radex | 0776a79 | 2023-10-10 00:02:29 +0200 | [diff] [blame] | 403 | |
| 404 | // Configuration of RoleBindings |
| 405 | admins: admins.NamespaceAdmins { |
| 406 | // Cluster staff have full access to all namespaces |
| 407 | // To give non-staff users admin access scoped to a given namespace, |
| 408 | // add them to the list below. |
| 409 | // (system:admin-namespace role is given to <user>@hackerspace.pl) |
| 410 | namespaces:: { |
| 411 | "inventory": [ |
| 412 | "radex", |
| 413 | "palid", |
| 414 | ], |
radex | 3fdda9c | 2023-10-23 22:25:35 +0200 | [diff] [blame] | 415 | "walne": [ |
| 416 | "radex", |
| 417 | "palid", |
| 418 | ], |
radex | 0776a79 | 2023-10-10 00:02:29 +0200 | [diff] [blame] | 419 | "site": [ |
| 420 | "ar", |
| 421 | "radex", |
| 422 | ], |
| 423 | "valheim": [ |
| 424 | "patryk", |
| 425 | "palid", |
| 426 | ], |
| 427 | "matrix-0x3c": [ |
| 428 | "not7cd", |
| 429 | ], |
| 430 | "hswaw-prod": [ |
| 431 | "ar", |
| 432 | "radex", |
| 433 | ], |
| 434 | "ldapweb": [ |
| 435 | "radex", |
| 436 | ], |
Radek Pietruszewski | a6592b8 | 2023-10-30 20:27:25 +0100 | [diff] [blame] | 437 | "devtools-prod": [ |
| 438 | "radex", |
| 439 | ], |
| 440 | "depotview": [ |
| 441 | "radex", |
| 442 | ], |
| 443 | "hackdoc": [ |
| 444 | "radex", |
| 445 | ], |
| 446 | "sourcegraph": [ |
| 447 | "radex", |
| 448 | ], |
| 449 | "speedtest": [ |
| 450 | "radex", |
| 451 | ], |
| 452 | "internet": [ |
| 453 | "radex", |
| 454 | ], |
| 455 | "cebulacamp": [ |
| 456 | "radex", |
| 457 | ], |
| 458 | "teleimg": [ |
| 459 | "radex", |
| 460 | ], |
| 461 | "pretalx": [ |
| 462 | "radex", |
| 463 | ], |
radex | 0776a79 | 2023-10-10 00:02:29 +0200 | [diff] [blame] | 464 | } |
| 465 | } |
Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 466 | }, |
| 467 | } |